US20060026283A1 - System and method for updating software on a computer - Google Patents

System and method for updating software on a computer Download PDF

Info

Publication number
US20060026283A1
US20060026283A1 US10/903,257 US90325704A US2006026283A1 US 20060026283 A1 US20060026283 A1 US 20060026283A1 US 90325704 A US90325704 A US 90325704A US 2006026283 A1 US2006026283 A1 US 2006026283A1
Authority
US
United States
Prior art keywords
computer
kiosk
program
security
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US10/903,257
Other versions
US8146072B2 (en
Inventor
Luis Ruben Trueba
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Enterprise Development LP
Original Assignee
Electronic Data Systems LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electronic Data Systems LLC filed Critical Electronic Data Systems LLC
Priority to US10/903,257 priority Critical patent/US8146072B2/en
Assigned to ELECTRONIC DATA SYSTEMS CORPORATION reassignment ELECTRONIC DATA SYSTEMS CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TRUEBA, LUIS RUBEN ZAPIEN
Priority to PCT/US2005/024629 priority patent/WO2006019718A2/en
Priority to CA002575157A priority patent/CA2575157A1/en
Priority to AU2005275256A priority patent/AU2005275256A1/en
Priority to EP05769551.2A priority patent/EP1779242B1/en
Publication of US20060026283A1 publication Critical patent/US20060026283A1/en
Assigned to ELECTRONIC DATA SYSTEMS, LLC reassignment ELECTRONIC DATA SYSTEMS, LLC CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: ELECTRONIC DATA SYSTEMS CORPORATION
Assigned to HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. reassignment HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ELECTRONIC DATA SYSTEMS, LLC
Publication of US8146072B2 publication Critical patent/US8146072B2/en
Application granted granted Critical
Assigned to HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP reassignment HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • This invention relates generally to network communications systems and more particularly to a system and method for updating software on a computer.
  • a computer contaminated with a worm, virus, or other malicious code can spread the contamination to other computing systems and networks without the knowledge or intent of the computer owner. For example, when a visitor to an enterprise facility brings in a computer that has a contaminated file or system and uses that computer to access an enterprise network, the worms and/or viruses contaminating the computer may be spread to other network elements in the enterprise network. Although virus scans and other security processes may be performed periodically to help restore the computer and to safeguard networks associated with the computer from further damage, such measures are generally remedial in nature. A great deal of damage may be done to the contaminated computer and to networks associated with the computer, however, before the presence of the malicious code is detected and the source of the contamination identified for remedial clean-up.
  • One aspect of the invention is a method for updating the version of software resident on a computer that includes providing a kiosk in a public place. A communication path is established between the kiosk and a computer to be tested. It is determined, using the kiosk, whether at least one program resident on the computer is a preferred version.
  • the invention has several important technical advantages. Various embodiments of the invention may have none, one, some, or all of these advantages without departing from the scope of the invention.
  • the invention allows for the selective restriction of access to an enterprise network. Specifically, the invention allows for the detection of malicious code in computers external to the enterprise network before those computers are allowed access to the enterprise network. Accordingly, computer equipment belonging to a visitor of an enterprise facility may be scanned for malicious code items before the visitor is given access to the enterprise network. Therefore, access to the enterprise network may be granted or denied on a case-by-case basis.
  • a stand-alone system may be provided to perform antivirus scans, security patch analyses, security practice assessments, or other security verification tests on a computer.
  • a kiosk may be located in an airport, internet cafe, shopping center, retail store, or any other public forum. The kiosk may provide the general public with easy and comprehensive access to security verification tests. Thus, members of the general public may be able to identify, diagnose, and remedy worms, viruses, and other malicious code items on their computers. As a result, the general health of the computer may be more easily maintained.
  • FIG. 1 illustrates a block diagram of a general purpose computer that may be used in accordance with the present invention
  • FIG. 2 illustrates a block diagram of an example system that may be used for restricting access to an enterprise network in accordance with the present invention
  • FIG. 3 illustrates an example kiosk for performing security verification tests on a computer in accordance with the present invention
  • FIG. 4 illustrates a flow chart describing an example method for restricting access to an enterprise network in accordance with the present invention.
  • FIG. 5 illustrates a flow chart describing an example method for performing security verification tests on a computer in accordance with the present invention.
  • FIGS. 1-5 of the drawings like numerals being used for like and corresponding parts of the various drawings.
  • FIG. 1 illustrates a general purpose computer 10 that may be used for restricting access to an enterprise network in accordance with the present invention.
  • general purpose computer 10 may comprise a portion of an enterprise network and may be used to execute applications and software to access various components of the enterprise network.
  • general purpose computer 10 may comprise a computer that is at least partially isolated from an enterprise network and operates to perform various tests and checks on visiting computers to selectively restrict access to the enterprise network.
  • general purpose computer 10 may operate to diagnose and remedy corrupted files and systems associated with other computers 10 .
  • General purpose computer 10 may be adapted to execute any of the well known MS-DOS, PC-DOS, OS2, UNIX, MAC-OS and Windows operating systems or other operating systems.
  • operating system may refer to the local operating system for computer 10 , a network operating system, or a combination of both.
  • General purpose computer 10 comprises processor 12 , random access memory (RAM) 14 , read only memory (ROM) 16 , mouse 18 , keyboard 20 , and input/output devices such as printer 24 , disk drives 22 , display 26 and communications link 28 .
  • RAM random access memory
  • ROM read only memory
  • mouse 18 mouse 18
  • keyboard 20 keyboard 20
  • input/output devices such as printer 24 , disk drives 22 , display 26 and communications link 28 .
  • the present invention includes programs that may be stored in RAM 14 , ROM 16 , or disk drives 22 and may be executed by processor 12 .
  • Disk drive 22 may include a variety of types of storage media such as, for example, floppy disk drives, hard disk drives, CD ROM drives, or magnetic tape drives. Disk drive 22 may also include a network disk housed in a server within the enterprise network. Although this embodiment employs a plurality of disk drives 22 , a single disk drive 22 could be used without departing from the scope of the invention.
  • FIG. 1 only provides one example of a computer that may be used with the invention. The invention could be used with computers other than general purpose computers as well as general purpose computers without conventional operating systems.
  • FIG. 2 illustrates a block diagram of an example system 40 that may be used for restricting access to an enterprise network 42 in accordance with the present invention.
  • System 40 operates to perform one or more checks or tests on a visiting computer before granting the visiting computer permission to access enterprise network 42 .
  • a security verification station 44 may be coupled to or otherwise associated with enterprise network 42 .
  • the security verification station 42 may include software and functionality for performing antivirus scans, security patch analyses, security practices assessments, and other security verification tests on a visiting computer.
  • the security verification tests may be performed to determine whether a malicious code is associated with the computer. Additionally or alternatively, the security verification tests may be performed to determine whether the computer's programs or configurations leave the computer vulnerable by permitting malicious code execution.
  • the malicious code may include any viruses, worms, denial of service attacks, or other code designed to cause damage to a computer or network system or otherwise interfere with the normal operations of a computer or network system. Because security verification station 44 performs the scans and security patch analyses before a visiting computer is allowed to access enterprise network 42 , access to enterprise network 42 may be denied to contaminated or vulnerable equipment. Alternatively, remedial measures may be taken to prevent the spreading of the contamination or to change program configurations to fix identified vulnerabilities. Thus, access to enterprise network 42 may be selectively granted to only those visiting computers that are free of vulnerabilities and contaminated systems and files.
  • enterprise network 42 comprises at least one network element 46 , a gateway server 48 , and a database 49 .
  • Enterprise network 42 may have, however, more or less components (of these or differing types) without departing from the scope of the invention.
  • Network elements 46 may include any devices that provide network services, provide access to network services, or provide a combination of these or other functionalities.
  • a network element 46 may comprise a computer, printer, fax machine, copier, or other network device.
  • a network element 46 may comprise a wireless router, port, or other communication device that may be used to establish communication with network computers and/or visiting computers to provide access to enterprise network 42 .
  • Gateway server 48 may include a node on enterprise network 48 that serves as an access point to enterprise network 48 .
  • Gateway server 48 may operate to route communications and other traffic to, from, and within enterprise network 42 .
  • Gateway server 48 may also act as a proxy server and a firewall.
  • gateway server 48 acts as a firewall between security verification station 44 and enterprise network 42 .
  • gateway server 48 may allow security verification station 44 selective access to enterprise network 42 .
  • gateway server 48 may include the hardware and/or software for preventing unauthorized access to or from enterprise network 42 .
  • gateway server 48 may be configured substantially like computer 10 described above with regard to FIG. 1 .
  • gateway server 50 may include any general purpose computer with the appropriate applications and functionality for managing communications traversing enterprise network 42 . If gateway server 48 is excluded from system 40 , the functions described as pertaining to gateway server 48 may be performed by other servers or clients within enterprise network 42 .
  • security verification station 44 may include hardware appropriate for coupling to or communicating with a visiting computer. Additionally, security verification station 44 may include the appropriate software and functionality for the performance of antivirus scans, security practice assessments, and/or security patch analyses. Where security verification station comprises a computer, the computer may be configured substantially like computer 10 described above with regard to FIG. 1 or may include any other general purpose computer.
  • Security verification station 44 includes a communication module for communicating with a visiting computer.
  • the communication module includes a port and/or cord for physically coupling security verification station 44 with a corresponding port of a visiting computer.
  • the communication module may include a wireless router (or other wireless connection) for wirelessly communicating with the visiting computer.
  • a visitor to a facility associated with enterprise network 42 may gain access to restricted areas of the facility through a reception area where the visitor may be required to identify himself and any computer equipment that the visitor may have with him.
  • the visitor may be required to check-in with security or other enterprise personnel before being given access to the restricted areas.
  • security or other enterprise personnel may direct the visitor to security verification station 44 .
  • posted signs may direct the visitor to security verification station 44 .
  • the visitor may then couple a port of the visitor's computer to security verification station 44 using an appropriate cord and adapter (or connect using a wireless connection).
  • the coupling of the visiting computer to security verification station 44 may initiate the security verification process.
  • the security verification process may include the performance of one or more antivirus scans (which may scan for malicious code in addition to viruses) to identify any corrupted files or systems on the visiting computer.
  • security verification station 44 may include a computer with the latest and most up-to-date antivirus software for searching the hard drive of the visiting computer for malicious code items. A computer having malicious code items may be said to be corrupted, and a corrupted computer may be denied access to enterprise network 42 .
  • security verification station 44 may use remedial measures to remove or clean the corrupted files or systems.
  • security verification station 44 may perform the antivirus scan using software such as Viruscan offered by McAfee Associates, F-prot from Frisk Software, Thunderbyte from Thunderbyte B. B., or some combination of these or other network security systems.
  • the security verification process may also include the performance of one or more security patch analyses to verify that the systems on the visitor's computer have been installed with the latest software upgrades or security patches.
  • security verification station 44 may include software that scans and analyzes the visitor's computer for specific information about the version of the software supporting the operating system or other systems installed on the visitor's computer.
  • the security patch analyses may include querying the computer's operating system for version information. Where, for example, the operating system of the computer accepts commands eliciting information from the operating system, security verification station 44 may request a version identifier from the visitor's computer. The version identifier may be associated with the software supporting the operating system.
  • security verification station 44 may request a listing of the patches currently installed on the visitor's computer.
  • the operating system may search the system's files for flags or search a registry of upgraded patches already stored on the visitor's computer.
  • security verification station 44 may communicate commands to the operating system to request a time stamp or date.
  • the time stamp or date may also be associated with the software supporting the operating system.
  • security verification station 44 may perform the security patch analyses using hardware and software such as Retina Network Security Scanner offered by eEye Digital Security, FGI LANguard Network Security Scanner 3.3 offered by GFI Software Limited, MegaPing offered by Magneto Software, Incorporated, Nessus offered by Renaud Deraison, of Foundstone FS1000 Appliance offered by Foundstone Strategic Security, or some combination these or other network security systems.
  • a computer found to have a corrupted (or less than up-to-date) operating system may be denied access to enterprise network 42 .
  • a service patch may be applied to the operating system to fix the program. After receiving the upgraded patch, the visiting computer may be allowed to access enterprise network 42 .
  • the security verification tests may also include a security practices assessment to determine the security practices utilized by the visitor's computer.
  • security verification station 44 may query the visitor's computer to determine whether the computer employs any unsafe security practices.
  • security verification station 44 may test or query the visitor's computer to determine if the operating system has weak access control policies.
  • security verification station 44 may test the visitor's computer to determine if the computer accepts blank or other easily hacked passwords.
  • security verification station 44 may query the operating system to determine if the computer has any open NetBIOS ports for file and printer sharing.
  • a determination may be made as whether the computer has been used to run rogue Web servers or to participate in peer-to-peer file-sharing.
  • unsafe security practices may include improper configurations of applications stored on the visitor's computer, which can leave a computer unprotected. For example, Microsoft Exchange's default configuration once left the server as an open SMTP relay, which was exploitable by spammers.
  • the unsafe practices described above are just a few examples of the types practices and policies that a security practices assessment might be used to identify.
  • the security practices assessment may include the identification of any other known unsafe practices that endanger or otherwise leave vulnerable the computer's operating system and other computer's on a common network.
  • a visiting computer may be tagged, labeled, or otherwise appropriately identified as being clean or corrupted.
  • a label may be affixed to the computer to indicate to enterprise employees, administrators, and security personnel that the visiting computer had none of the malicious code items tested for.
  • an identifier may be assigned to or associated with the visiting computer. The identifier may also be used to indicate whether the visiting computer is free of malicious code and/or not susceptible to malicious code attacks. Additionally, the identifier may indicate to enterprise network 42 that the visiting computer includes the most recently available system updates. In particular embodiments, the identifier may comprise a hardware serial number associated with the computer.
  • the identifier may correspond with the MAC address assigned to the computer.
  • the identifier may include a digital certificate provided to the computer. If the visiting computer is used to try to gain access to enterprise network 42 or network elements 46 , enterprise network 42 may query the visiting computer for the digital signature associated with the visiting computer when deciding whether to allow the visiting computer to access the enterprise network 42 .
  • security verification station 44 may communicate the identifier to enterprise network 42 .
  • the identifier assigned to the visiting computer may be stored in a database 49 where it may be accessed to authenticate the visiting computer if the visiting computer is used to try to gain access to enterprise network 42 .
  • enterprise network 42 may access database 49 to verify that an identifier is associated with the visiting computer.
  • enterprise network 42 may compare the identifier stored on the computer alternatively with the identifier stored in database 49 .
  • the visiting computer may be given access to enterprise network 42 or denied access to enterprise network 42 as is appropriate based on the identifier.
  • database 49 could be omitted and an identifier verified by a different means. For example, where a digital certificate is used, the certificate could be analyzed to determine whether it is valid or not.
  • security verification station 44 may be located at an access point to an enterprise facility.
  • security verification station 44 may comprise a kiosk located at an access point, which may include a reception or security area.
  • FIG. 3 illustrates an example kiosk 50 for performing security verification tests on a computer in accordance with the present invention. Before a visitor to an enterprise facility is allowed to enter the restricted area (or before the visitor can connect his computer to enterprise network 42 ), the visitor may be directed to use kiosk 50 to perform one or more security verification tests as described above.
  • Kiosk 50 includes a communication module 52 that may be used to communicate with a visiting computer.
  • communication module 52 includes a port that may be used to couple to an associated port of a visiting computer.
  • communication module 52 may include a wireless router or other wireless access point for wirelessly communicating with a visiting computer.
  • communication module may include an antenna through which a communication path may be established with the computer.
  • kiosk 50 may also include an outlet 54 (or cord) for providing electrical current to the visiting computer. Accordingly, a port or cord associated with the visiting computer may be coupled to outlet 54 so that the visiting computer may be powered up for the security verification tests.
  • kiosk 50 may also include a processor 55 with the software and/or hardware necessary for performing one or more security verification tests.
  • the security verification tests may be substantially like those described above with regard to FIG. 1 .
  • kiosk 50 may perform one or more antivirus scans, security patch analyses, and/or security practice assessments on a visiting computer.
  • kiosk 50 may comprise a stand alone system that operates independently of enterprise network 42 . The isolation of kiosk 50 from enterprise network 42 may further prevent the spreading of malicious code to enterprise network 42 from the visiting computer being tested by kiosk 50 .
  • kiosk 50 may be coupled to enterprise network 42 through gateway server 48 .
  • Kiosk 50 may have selective access to enterprise network 42 through gateway server 48 over a direct connection, a private network, or a public network, such as the Internet.
  • the software for performing the antivirus scans, security patch analyses, security practices assessments, or other security verification tests may be stored on kiosk 50 or on enterprise network 42 .
  • the software may be stored in database 49 or another server or storage unit in enterprise network 42 . Accordingly, for the purposes of performing the security verification tests on a visiting computer, kiosk 50 may be given limited access to enterprise network 42 . To prevent the spreading of malicious code from the visiting computer being tested, however, kiosk 50 may be at least partially isolated from enterprise network 42 .
  • gateway server 44 may allow selective communications between kiosk 50 and enterprise network 42 .
  • kiosk 50 may, in some embodiments, communicate the identifier to enterprise network 42 .
  • the identifier may be stored in database 49 or another server or storage unit in enterprise network 42 and may be referenced by enterprise network 42 to determine whether to allow the visiting computer to access enterprise network 42 .
  • the identifier may not be communicated because the information required to verify the identifier is contained with the identifier or is part of the identifier.
  • Kiosk 50 may also includes a display 56 to provide information to the visitor as the various security verification tests are being performed on the visitor's computer.
  • kiosk 50 includes a progress display 58 and a pass/fail indicator 60 .
  • Progress display 58 indicates to the visitor that kiosk 50 is in the process of performing security verification tests on the visitor's computer.
  • progress display 58 may include a light that is lit when the security verification tests are being performed. After the tests are completed, the light may turn off to indicate to the user that the computer may be safely removed from kiosk 50 . As a result, the visitor may be discouraged from prematurely removing the computer from kiosk 50 . Thus, damage to the computer and kiosk 50 may be prevented.
  • Display 56 may also include a pass/fail indicator 60 to indicate to the user that the security verification tests are completed.
  • Pass/fail indicator 60 may also indicate to the user whether the security verification tests discovered any corrupted files, corrupted systems, or other security vulnerabilities on the visitor's computer.
  • pass/fail indicator 60 may be illuminated with a red light when malicious code items are identified on the tested computer.
  • pass/fail indicator 60 may be illuminated green when kiosk 50 does not detect any malicious code on the computer.
  • pass/fail indicator 60 may indicate to the user that one or more files or systems are corrupted or, alternatively, that the computer is clean.
  • kiosk 50 may include a graphical interface display that may be used to present options or messages to the visitor.
  • kiosk 50 may communicate messages to the visitor's computer and the messages may be displayed directly on the graphical interface screen of the computer being tested.
  • kiosk 50 also includes a printing module 62 .
  • Printing module 62 may be operable to generate a printed label that may be used to identify the tested computer and to indicate the result of the security verification tests to enterprise personnel.
  • the printed label may be provided to the visitor or to security personnel operating kiosk 50 through a slot 64 .
  • a pass label may be printed and supplied to the user of kiosk 50 through slot 64 .
  • the pass label may be adhered to the visitor or the visitor's computer to indicate to enterprise employees, administrators, and security personnel that the computer is clean and may be granted access to enterprise network 42 and network elements 46 within enterprise network 42 .
  • printer module 62 may also operate to generate a fail label where it is determined that the tested computer is not free of malicious worms and viruses or is vulnerable to malicious code execution.
  • the fail label may also be provided to the visitor or security personnel operating kiosk 50 through slot 64 .
  • the printed fail label may be applied to the visitor or the visitor's computer to indicate to enterprise employees, administrators, and security personnel that the computer is not clean and should not be granted access to enterprise network 42 .
  • the fail label may be adapted to be adhered to one or more ports of the tested computer.
  • the label may be used to cover the one or more ports of the visitor's computer to indicate to the visitor and to employees, administrators, and security personnel of enterprise network 42 that the ports should not be used.
  • security personnel may also take the computer from the visitor and hold the computer for safe keeping until the visitor is ready to leave the enterprise facility.
  • the security personnel may receive notice from kiosk 50 that the visitor's computer has failed one or more security verification tests, and the security personnel may couple a plug, lock, or other physical impediment to the one or more ports of the visiting computer to prevent or deter the visitor from accessing enterprise network 42 once inside the facility.
  • the printing module 62 may also be separate from kiosk 50 without departing from the scope of the invention.
  • printing module 62 could be located behind a reception or security desk without departing from the scope of the invention.
  • kiosk 50 also includes a billing module 66 .
  • billing module 66 may be used to obtain and process payment information received from the user of kiosk 50 when the services offered by kiosk 50 are not free to the user.
  • kiosk 50 may offer remedial measures to the visitor of enterprise network 42 to fix or clean any corrupted files or systems identified on the visitor's computer before the visitor is granted access to enterprise network 42 .
  • remedial measures may include a software upgrade, the removal of corrupted files, the cleaning of corrupted files, or the application of required patches or upgrades.
  • billing module 66 may receive payment information from the visitor and authenticate the payment information where the payment information includes credit card information.
  • security verification station 44 may comprise any system for performing the described security verification tests.
  • security verification station 44 may be incorporated into a security or reception desk.
  • security verification station 44 may merely comprise a port at the security or reception desk to which the visiting computer may be coupled.
  • the port may be part of or coupled to a computer associated with the security or reception desk.
  • security or other enterprise personnel may ask the visitor to couple the visitor's computer to the port at the security or reception desk.
  • the security or other personnel may take the computer from the visitor to couple the computer to the port.
  • the security or reception desk may include a wireless router that may establish a communication path with the appropriate hardware of the visitor's computer without a physical coupling.
  • kiosk 50 is generally described as cooperating with an enterprise network 42 to safeguard the systems and files on enterprise network 42 from malicious code, it is generally recognized that kiosk 50 may operate independently of enterprise network 42 . Accordingly, kiosk 50 may be sufficiently isolated from enterprise network 42 such that any corrupted files or systems discovered on the visitor's computer are also isolated from enterprise network 42 . In other embodiments, kiosk 50 may have no association at all with an enterprise network. As such, kiosk 50 may include any stand-alone system for performing antivirus scans, security patch analyses, security practice assessments, or other security verification tests on a computer. For example, kiosk 50 may be located in an airport, internet cafe, shopping center, retail store, or any other public forum. Thus, and as will be described in more detail with regard to FIG.
  • kiosk 50 may be used to provide the general public with easy and comprehensive access to security verification tests.
  • a user may include any member of the general public.
  • any member of the general public may be able to identify, diagnose, and remedy malicious code items on the user's computer, and the general health of the individually owned computers may be more easily maintained.
  • Kiosk 50 may also be used to provide updates to software applications resident on a computer connected to kiosk 50 .
  • kiosk 50 may check the computer to determine whether various software applications on the visitor's computer are a preferred version.
  • the preferred version may be the most current version available or a version that is required by enterprise network 42 for security purposes. In other embodiments, the preferred version may be the version suggested or required by a provider of the software application.
  • kiosk 50 may automatically update the software to the preferred version. Where a fee is charged for such an upgrade, kiosk 50 may collect the fee in the manner described herein.
  • FIG. 4 illustrates a flow chart describing an example method for restricting access to enterprise network 42 in accordance with the present invention.
  • the method described herein may be carried out using computer software, as can any or all of the processes described herein. That software may be executed by security verification station 44 , gateway server 48 , network element 46 , kiosk 50 , computer 10 , or any other computer or combination of computers.
  • a security verification station 44 is provided.
  • the security verification station 44 may be provided at an enterprise access point.
  • security verification station 44 may comprise a kiosk 50 located at an entrance to an enterprise facility.
  • the kiosk 50 may be proximate to a manned security or reception desk or may stand-alone independent of any security or reception desk.
  • security verification station 44 may comprise a computer associated with the manned security or reception desk.
  • a visitor to the enterprise facility may be required to identify and check-in any computer equipment that the visitor desires to bring into the enterprise facility.
  • Security personnel, reception personnel, or instructional signs may direct the visitor to security verification station 44 for performance of one or more security verification tests on the visitor's computer.
  • step 102 communication between security verification station 44 and the visitor's computer is established.
  • step 104 a determination may be made as to whether the visitor's computer includes one or more malicious code items or whether the visitor's computer includes programs or configurations that leave the computer vulnerable to malicious code attacks by permitting execution of malicious code items. The determination may be made by performing an antivirus scan on the files stored on the visitor's computer to identify any files corrupted with viruses, worms or other malicious code. Additionally or alternatively, security patch analyses may be performed (in the manner described above) on the visitor's computer to determine whether the computer's operating and other systems are running using the most up to date code.
  • kiosk 50 may query the computer to determine whether the computer employs any unsafe security practices, as described above.
  • the security practice assessment may be performed in conjunction with the security patch analyses or may be performed alternatively to the security patch analyses.
  • the security verification tests may be performed before the visitor is allowed to proceed into the restricted portions of the enterprise facility with the computer. Thus, the tests may deter the passing on of malicious code present on the visitor's computer to enterprise network 42 . In another example, where kiosk 50 is operating independently of any enterprise network, the security verification tests may be performed to improve the general health of the tested computer and to prevent the spreading of malicious code to other computing devices and systems.
  • step 106 the fact that the computer is clean may be indicated to the visitor or other user.
  • pass/fail indicator 60 may flash or display an appropriate color identifying that the tested computer does not contain worms, viruses, or other malicious code tested for.
  • Pass/fail indicator 60 may also identify whether the tested computer has any programs or configurations that make the computer vulnerable to malicious code attacks.
  • pass/fail indicator 60 may indicate whether or not the computer will be granted access to network elements 46 and other resources on an enterprise network 42 .
  • security verification station 44 is associated with a security or reception desk, personnel at the desk may inform the visitor of the results of the security verification tests.
  • security verification station 44 is associated with an enterprise network 42
  • the computer may be identified as clean or uncorrupted to enterprise network 42 at step 108 .
  • kiosk 50 or a printer associated with a security or reception desk proximate to security verification station 44 may print a label that may be adhered to the visitor's computer or to the visitor.
  • the label may indicate to enterprise employees, administrators, and security personnel that the tested computer is authorized to access network elements 46 or other resources on enterprise network 42 .
  • an identifier may be assigned to or otherwise associated with the visitor's computer.
  • the identifier may be stored in database 49 associated with enterprise network 42 , or a digital certificate may be provided to the visitor's computer.
  • the visitor may be given access to the enterprise facility.
  • the visitor may be allowed to take the tested computer into the enterprise facility or into restricted areas of the enterprise facility. Thereafter, if the visitor tries to access network elements 46 , or other resources on enterprise network 42 , access may be granted to the visitor and/or the tested computer.
  • the stored identifier may be referenced for determining that access to enterprise network 42 may be granted.
  • enterprise network 42 may query the visitor's computer for a digital certificate stored on the computer.
  • step 112 the method may proceed to step 112 where the fact that the computer includes corrupted files or systems may be indicated to the visitor.
  • pass/fail indicator 60 may flash or display an appropriate color identifying that a problem has been identified with the visitor's computer.
  • security verification station 44 is associated with enterprise network 42 , personnel at a security or reception desk may additionally or alternatively inform the visitor that a problem exists on the tested computer.
  • the computer may be identified as including corrupted files or systems to enterprise network 42 .
  • an identifier may be assigned to the visitor's computer, and the identifier stored in database 49 associated with enterprise network 42 . If the visitor tries to access enterprise network 42 after being granted access to the enterprise facility, the stored identifier may be referenced for determining whether to allow the visitor's computer to access enterprise network 42 .
  • security personnel may be notified of the corrupted nature of the visitor's computer and the computer may be held by the security personnel while the visitor is in the enterprise facility.
  • remedial measures may be offered to the visitor at step 116 (which could occur earlier or later).
  • kiosk 50 or security personnel associated with enterprise network 42 may offer a software upgrade or other fix to the visitor or user.
  • the upgrade or other fix may include the removal of the corrupted files or the application of patches or upgrades to the computer's systems.
  • certain settings may be made such that security practices are acceptable to the operator of enterprise network 42 . In either case, the visitor may be given the option of having these changes made. If the visitor or user desires remedial measures to be taken to repair the computer's files or systems, the method proceeds to step 118 where payment information may be obtained if the remedial measures are not free to the visitor or user.
  • kiosk 50 or the security desk associated with the enterprise facility may have equipment for obtaining credit information or other payment information from the visitor.
  • the equipment may also be capable of authenticating credit information received from the visitor or user.
  • the credit information may be authenticated at step 120 and remedial measures taken at step 122 .
  • the remedial measures taken may include the removal or cleaning of the one or more corrupted files from the visitor's computer.
  • the remedial measures may include the patching of a corrupted system with clean code or the updating of software to a more current version.
  • the method may then continue at step 110 where the visiting computer is allowed access to enterprise network 42 . The method may then terminate.
  • steps 116 - 122 may be omitted from the security verification process.
  • the system described may be used merely to identify corrupted files and systems. Where such remedial measures are not offered or are not accepted by the visitor and the computer is identified as having a malicious code or virus or as being vulnerable to malicious codes or viruses, however, the visiting computer may be denied access (in any of the ways described above) to enterprise network 42 at step 124 .
  • FIG. 5 illustrates a flow chart describing an example method for performing security verification tests on a computer in accordance with the present invention.
  • the method described herein may be carried out using computer software, as can any or all of the processes described herein. That software may be executed by security verification station 44 , gateway server 48 , network element 46 , kiosk 50 , computer 10 , or any other computer or combination of computers.
  • the method of FIG. 5 can also be used to upgrade software applications to a preferred version.
  • the preferred version may be that which is most recently available, that which is required by an enterprise network 42 , or that which is required or suggested by a provider of the software application.
  • a kiosk 50 is provided in a public location.
  • kiosk 50 may be located in an airport, shopping center, retail establishment, or other public forum.
  • kiosk 50 may be used to perform various security verification tests on the user's computer.
  • kiosk 50 may be used to perform security patch analyses to verify that the applications and/or systems on the user's computer have been installed with the latest software upgrades or security patches.
  • kiosk 50 may be used to perform antivirus scans to identify, detect, and, in some cases, remedy any files or systems that are corrupted with viruses, worms, or other malicious code.
  • Kiosk 50 may also be used to perform security practice assessments to determine whether any systems on the computer employ unsafe security practices.
  • kiosk 50 may be located at an access point to an enterprise facility. In such embodiments, kiosk 50 may perform security verification tests similar to those described above in an effort to restrict a user's access to an enterprise network 42 .
  • kiosk 50 may include a port or other connectable device that may be coupled to a port of the user's computer.
  • kiosk 50 may include a wireless router (or other wireless connection) for establishing a wireless communication path with appropriate hardware and software of the user's computer.
  • kiosk 50 may display one or more security verification options to the user.
  • the options may be displayed on display 56 or on the graphical interface screen of the user's computer.
  • the displayed options may include a variety of security verification tests (or other tests) from which the user may choose.
  • the options may include security patch analyses, software installments or upgrades, antivirus scans, security practices assessments, and any other processes for improving the security and health of the user's computer.
  • kiosk 50 may offer all of these options to the user, it is recognized that kiosk 50 may offer any one of these or other security verification tests and may offer any combination of the same.
  • kiosk 50 may have equipment for obtaining and processing credit card information or other payment information (e.g., debit card, ATM card, or smart card information) from the user.
  • kiosk 50 may have a credit card swipe or slot that reads payment information from the user's credit card.
  • the kiosk 50 may then be capable of authenticating the credit card information over a telephone line, public network, or private network to verify that payment has been obtained. The payment step could occur later without departing from the scope of the invention.
  • kiosk 50 may perform a security patch analysis (or current software version analysis) by scanning and analyzing the operating or other systems or applications on the user's computer. The scan may be performed to determine if the computer has the preferred software. The security patch analysis may be performed by querying the computer's operating system for specific information about the version of the software supporting the operating system. Additionally or alternatively, kiosk 50 may query the computer's operating system to identify a time stamp or date stamp that is associated with the software supporting the operating system.
  • a security patch analysis or current software version analysis
  • the operating system may accept commands eliciting information about what patches are installed. Accordingly, the operating system may respond to such commands by providing kiosk 50 with a list of the patches installed. Similar functionality may be provided for various software applications. This step could also include a scan for malicious code and/or remedying of a malicious code issue with any of the options described above.
  • kiosk 50 may query the computer to determine whether the computer employs any unsafe security practices as described above.
  • the security verification tests performed at step 210 indicate that the user's computer does not need a security patch, this is indicated to the user at step 212 .
  • the indication to the user may be made using pass/fail indicator 60 or by displaying a message to the user on display 56 or the graphical interface screen of the user's computer.
  • the security verification tests performed at step 210 indicate that the user's computer needs a security patch, this need is indicated to the user at step 214 .
  • the indication may also be made using pass/fail indicator 60 , display 56 , or the graphical interface screen of the user's computer.
  • the necessary patches are applied to the computer's systems or files. For example, where kiosk 50 has determined that a file supporting the operating system is outdated, the outdated file or portion of code may be replaced with a newer version.
  • a determination may be made as to whether the visitor's computer includes one or more malicious code items. The determination may be made by performing an antivirus scan on the files stored on the user's computer to identify malicious code items associated with the files. Where present, the malicious code items may indicate that one or more files on the user's computer are corrupted with a virus, worm, or other malicious code. The performance of the antivirus scan may improve the general health of the user's computer and deter the spread of malicious code to other computing devices and systems. The malicious code scan could be performed before the scan of step 208 or in conjunction therewith without departing from the scope of the invention.
  • step 220 the fact that the computer is clean may be indicated to the user.
  • pass/fail indicator 60 may flash or display an appropriate color identifying that the tested computer is free of worms, viruses, and other malicious code.
  • the message may be conveyed to the user on display 56 or the graphical interface screen of the user's computer.
  • the antivirus scan performed at step 216 indicates that the user's computer has one or more malicious code items, however, the fact that the computer includes corrupted files is indicated to the user at step 222 .
  • pass/fail indicator 60 may flash or display an appropriate color identifying that a problem has been identified with the tested computer.
  • the message may be conveyed to the user on display 56 or the graphical interface screen of the user's computer.
  • remedial measures may be applied to the user's computer if the user selected that option at step 204
  • kiosk 50 may remove the one or more corrupted files from the visitor's computer.
  • kiosk 50 may clean the one or more corrupted files by removing the malicious code items.
  • step 224 may be omitted.
  • the method may merely include the identification of corrupted files and systems. Where such remedial measures are not offered or are not accepted by the visitor and the computer is identified as having a malicious code or virus, however, the user may utilize other remedial systems to repair the corrupted files or systems.
  • a scan of the computer's programs and systems may be performed to determine whether antivirus software is installed on the computer. Where such a program is identified, version information associated with the antivirus software may be obtained to determine if the software is a preferred antivirus software. The version information may be compared with version information associated with the latest version available or a preferred version.
  • step 226 may include the performance of an updating procedure for the signature and .dat files on the tested computer.
  • step 228 the fact that the computer's systems are up to date may be indicated to the user.
  • pass/fail indicator 60 may flash or display an appropriate color identifying that the tested computer includes the preferred antivirus software.
  • the message may be conveyed to the user on display 56 or the graphical interface screen of the user's computer.
  • pass/fail indicator 60 may flash or display an appropriate color identifying that a problem has been identified with the tested computer.
  • the message may be conveyed to the user on display 56 or the graphical interface screen of the user's computer.
  • remedial measures may be applied to the user's computer if the user selected that option at step 204
  • kiosk 50 may install the preferred antivirus software program on the computer.
  • kiosk 50 may apply one or more patches or upgrades to the computer's existing antivirus software.
  • the programs and system patches stored in kiosk 50 may be periodically updated at step 234 .
  • the viruses known to the antivirus scan may be periodically updated such that kiosk 50 may diagnose and remedy recently released viruses, worms, and other malicious code.
  • the signature files or .dat files identifying harmful malicious codes that are searched for by the kiosk's antivirus software application may be updated or replaced.
  • kiosk 50 may communicate with a public network such as the Internet to download the latest versions of antivirus software, security patches, and information about the latest viruses, worms, and other malicious code.
  • a hard drive or other memory or database may be updated manually. Thus, the hard drive with kiosk 50 may be replaced, or new files may be saved to the system.
  • kiosk 50 may be able to clean or protect a computer from the latest version of malicious code that is being used to interfere with the normal operation of computing systems. Additionally, and in particular embodiments, kiosk 50 may be able to offer the latest antivirus software available for downloading to the computer.

Abstract

One aspect of the invention is a method for updating the version of software resident on a computer that includes providing a kiosk in a public place. A communication path is established between the kiosk and a computer to be tested. It is determined, using the kiosk, whether at least one program resident on the computer is a preferred version.

Description

    TECHNICAL FIELD OF THE INVENTION
  • This invention relates generally to network communications systems and more particularly to a system and method for updating software on a computer.
  • BACKGROUND OF THE INVENTION
  • A computer contaminated with a worm, virus, or other malicious code can spread the contamination to other computing systems and networks without the knowledge or intent of the computer owner. For example, when a visitor to an enterprise facility brings in a computer that has a contaminated file or system and uses that computer to access an enterprise network, the worms and/or viruses contaminating the computer may be spread to other network elements in the enterprise network. Although virus scans and other security processes may be performed periodically to help restore the computer and to safeguard networks associated with the computer from further damage, such measures are generally remedial in nature. A great deal of damage may be done to the contaminated computer and to networks associated with the computer, however, before the presence of the malicious code is detected and the source of the contamination identified for remedial clean-up.
  • SUMMARY OF THE INVENTION
  • One aspect of the invention is a method for updating the version of software resident on a computer that includes providing a kiosk in a public place. A communication path is established between the kiosk and a computer to be tested. It is determined, using the kiosk, whether at least one program resident on the computer is a preferred version.
  • The invention has several important technical advantages. Various embodiments of the invention may have none, one, some, or all of these advantages without departing from the scope of the invention. In particular embodiments, the invention allows for the selective restriction of access to an enterprise network. Specifically, the invention allows for the detection of malicious code in computers external to the enterprise network before those computers are allowed access to the enterprise network. Accordingly, computer equipment belonging to a visitor of an enterprise facility may be scanned for malicious code items before the visitor is given access to the enterprise network. Therefore, access to the enterprise network may be granted or denied on a case-by-case basis.
  • In other embodiments, a stand-alone system may be provided to perform antivirus scans, security patch analyses, security practice assessments, or other security verification tests on a computer. In particular embodiments, a kiosk may be located in an airport, internet cafe, shopping center, retail store, or any other public forum. The kiosk may provide the general public with easy and comprehensive access to security verification tests. Thus, members of the general public may be able to identify, diagnose, and remedy worms, viruses, and other malicious code items on their computers. As a result, the general health of the computer may be more easily maintained.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • For a more complete understanding of the present invention and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings in which:
  • FIG. 1 illustrates a block diagram of a general purpose computer that may be used in accordance with the present invention;
  • FIG. 2 illustrates a block diagram of an example system that may be used for restricting access to an enterprise network in accordance with the present invention;
  • FIG. 3 illustrates an example kiosk for performing security verification tests on a computer in accordance with the present invention;
  • FIG. 4 illustrates a flow chart describing an example method for restricting access to an enterprise network in accordance with the present invention; and
  • FIG. 5 illustrates a flow chart describing an example method for performing security verification tests on a computer in accordance with the present invention.
  • DETAILED DESCRIPTION OF THE INVENTION
  • The preferred embodiment of the present invention and its advantages are best understood by referring to FIGS. 1-5 of the drawings, like numerals being used for like and corresponding parts of the various drawings.
  • FIG. 1 illustrates a general purpose computer 10 that may be used for restricting access to an enterprise network in accordance with the present invention. In certain embodiments, general purpose computer 10 may comprise a portion of an enterprise network and may be used to execute applications and software to access various components of the enterprise network. In certain embodiments, general purpose computer 10 may comprise a computer that is at least partially isolated from an enterprise network and operates to perform various tests and checks on visiting computers to selectively restrict access to the enterprise network. In particular embodiments, general purpose computer 10 may operate to diagnose and remedy corrupted files and systems associated with other computers 10.
  • General purpose computer 10 may be adapted to execute any of the well known MS-DOS, PC-DOS, OS2, UNIX, MAC-OS and Windows operating systems or other operating systems. As used in this document, operating system may refer to the local operating system for computer 10, a network operating system, or a combination of both. General purpose computer 10 comprises processor 12, random access memory (RAM) 14, read only memory (ROM) 16, mouse 18, keyboard 20, and input/output devices such as printer 24, disk drives 22, display 26 and communications link 28. The present invention includes programs that may be stored in RAM 14, ROM 16, or disk drives 22 and may be executed by processor 12. Communications link 28 is connected to a computer network but could be connected to a telephone line, an antenna, a gateway, or any other type of communication link. Disk drive 22 may include a variety of types of storage media such as, for example, floppy disk drives, hard disk drives, CD ROM drives, or magnetic tape drives. Disk drive 22 may also include a network disk housed in a server within the enterprise network. Although this embodiment employs a plurality of disk drives 22, a single disk drive 22 could be used without departing from the scope of the invention. FIG. 1 only provides one example of a computer that may be used with the invention. The invention could be used with computers other than general purpose computers as well as general purpose computers without conventional operating systems.
  • FIG. 2 illustrates a block diagram of an example system 40 that may be used for restricting access to an enterprise network 42 in accordance with the present invention. System 40 operates to perform one or more checks or tests on a visiting computer before granting the visiting computer permission to access enterprise network 42. As will be described in more detail below, a security verification station 44 may be coupled to or otherwise associated with enterprise network 42. The security verification station 42 may include software and functionality for performing antivirus scans, security patch analyses, security practices assessments, and other security verification tests on a visiting computer. The security verification tests may be performed to determine whether a malicious code is associated with the computer. Additionally or alternatively, the security verification tests may be performed to determine whether the computer's programs or configurations leave the computer vulnerable by permitting malicious code execution. The malicious code may include any viruses, worms, denial of service attacks, or other code designed to cause damage to a computer or network system or otherwise interfere with the normal operations of a computer or network system. Because security verification station 44 performs the scans and security patch analyses before a visiting computer is allowed to access enterprise network 42, access to enterprise network 42 may be denied to contaminated or vulnerable equipment. Alternatively, remedial measures may be taken to prevent the spreading of the contamination or to change program configurations to fix identified vulnerabilities. Thus, access to enterprise network 42 may be selectively granted to only those visiting computers that are free of vulnerabilities and contaminated systems and files.
  • In the illustrated example, enterprise network 42 comprises at least one network element 46, a gateway server 48, and a database 49. Enterprise network 42 may have, however, more or less components (of these or differing types) without departing from the scope of the invention. Network elements 46 may include any devices that provide network services, provide access to network services, or provide a combination of these or other functionalities. For example, in particular embodiments, a network element 46 may comprise a computer, printer, fax machine, copier, or other network device. In other embodiments, a network element 46 may comprise a wireless router, port, or other communication device that may be used to establish communication with network computers and/or visiting computers to provide access to enterprise network 42.
  • Gateway server 48 may include a node on enterprise network 48 that serves as an access point to enterprise network 48. Gateway server 48 may operate to route communications and other traffic to, from, and within enterprise network 42. Gateway server 48 may also act as a proxy server and a firewall. In certain embodiments, gateway server 48 acts as a firewall between security verification station 44 and enterprise network 42. Thus, gateway server 48 may allow security verification station 44 selective access to enterprise network 42. Accordingly, gateway server 48 may include the hardware and/or software for preventing unauthorized access to or from enterprise network 42. In particular embodiments, gateway server 48 may be configured substantially like computer 10 described above with regard to FIG. 1. Alternatively, gateway server 50 may include any general purpose computer with the appropriate applications and functionality for managing communications traversing enterprise network 42. If gateway server 48 is excluded from system 40, the functions described as pertaining to gateway server 48 may be performed by other servers or clients within enterprise network 42.
  • As will be described in more detail below, security verification station 44 may include hardware appropriate for coupling to or communicating with a visiting computer. Additionally, security verification station 44 may include the appropriate software and functionality for the performance of antivirus scans, security practice assessments, and/or security patch analyses. Where security verification station comprises a computer, the computer may be configured substantially like computer 10 described above with regard to FIG. 1 or may include any other general purpose computer.
  • Security verification station 44 includes a communication module for communicating with a visiting computer. In particular embodiments, the communication module includes a port and/or cord for physically coupling security verification station 44 with a corresponding port of a visiting computer. In other embodiments, the communication module may include a wireless router (or other wireless connection) for wirelessly communicating with the visiting computer. Once the visiting computer is coupled to or otherwise in communication with security verification station 44, various security processes may be performed to determine whether the files and/or systems of the visiting computer are contaminated with one or more malicious code items or include the most recent software upgrades to prevent contamination by malicious code items.
  • For example, a visitor to a facility associated with enterprise network 42 may gain access to restricted areas of the facility through a reception area where the visitor may be required to identify himself and any computer equipment that the visitor may have with him. In some enterprise facilities, the visitor may be required to check-in with security or other enterprise personnel before being given access to the restricted areas. In particular embodiments, security or other enterprise personnel may direct the visitor to security verification station 44. Alternatively, posted signs may direct the visitor to security verification station 44. The visitor may then couple a port of the visitor's computer to security verification station 44 using an appropriate cord and adapter (or connect using a wireless connection). In particular embodiments, the coupling of the visiting computer to security verification station 44 may initiate the security verification process.
  • The security verification process may include the performance of one or more antivirus scans (which may scan for malicious code in addition to viruses) to identify any corrupted files or systems on the visiting computer. For example, security verification station 44 may include a computer with the latest and most up-to-date antivirus software for searching the hard drive of the visiting computer for malicious code items. A computer having malicious code items may be said to be corrupted, and a corrupted computer may be denied access to enterprise network 42. In particular embodiments, security verification station 44 may use remedial measures to remove or clean the corrupted files or systems. In particular embodiments, security verification station 44 may perform the antivirus scan using software such as Viruscan offered by McAfee Associates, F-prot from Frisk Software, Thunderbyte from Thunderbyte B. B., or some combination of these or other network security systems.
  • In certain embodiments, the security verification process may also include the performance of one or more security patch analyses to verify that the systems on the visitor's computer have been installed with the latest software upgrades or security patches. For example, security verification station 44 may include software that scans and analyzes the visitor's computer for specific information about the version of the software supporting the operating system or other systems installed on the visitor's computer. In particular embodiments, the security patch analyses may include querying the computer's operating system for version information. Where, for example, the operating system of the computer accepts commands eliciting information from the operating system, security verification station 44 may request a version identifier from the visitor's computer. The version identifier may be associated with the software supporting the operating system. Alternatively or additionally, security verification station 44 may request a listing of the patches currently installed on the visitor's computer. In response to the query or request, the operating system may search the system's files for flags or search a registry of upgraded patches already stored on the visitor's computer.
  • Additionally or alternatively, security verification station 44 may communicate commands to the operating system to request a time stamp or date. The time stamp or date may also be associated with the software supporting the operating system.
  • In particular embodiments, security verification station 44 may perform the security patch analyses using hardware and software such as Retina Network Security Scanner offered by eEye Digital Security, FGI LANguard Network Security Scanner 3.3 offered by GFI Software Limited, MegaPing offered by Magneto Software, Incorporated, Nessus offered by Renaud Deraison, of Foundstone FS1000 Appliance offered by Foundstone Strategic Security, or some combination these or other network security systems. A computer found to have a corrupted (or less than up-to-date) operating system may be denied access to enterprise network 42. In particular embodiments, a service patch may be applied to the operating system to fix the program. After receiving the upgraded patch, the visiting computer may be allowed to access enterprise network 42.
  • In particular embodiments, the security verification tests may also include a security practices assessment to determine the security practices utilized by the visitor's computer. To this end, security verification station 44 may query the visitor's computer to determine whether the computer employs any unsafe security practices. For example, security verification station 44 may test or query the visitor's computer to determine if the operating system has weak access control policies. For example, security verification station 44 may test the visitor's computer to determine if the computer accepts blank or other easily hacked passwords. As another example, security verification station 44 may query the operating system to determine if the computer has any open NetBIOS ports for file and printer sharing. As still another example, a determination may be made as whether the computer has been used to run rogue Web servers or to participate in peer-to-peer file-sharing. Other unsafe security practices may include improper configurations of applications stored on the visitor's computer, which can leave a computer unprotected. For example, Microsoft Exchange's default configuration once left the server as an open SMTP relay, which was exploitable by spammers. The unsafe practices described above, however, are just a few examples of the types practices and policies that a security practices assessment might be used to identify. The security practices assessment may include the identification of any other known unsafe practices that endanger or otherwise leave vulnerable the computer's operating system and other computer's on a common network.
  • Based on the results of the security verification tests performed, a visiting computer may be tagged, labeled, or otherwise appropriately identified as being clean or corrupted. For example, in particular embodiments, a label may be affixed to the computer to indicate to enterprise employees, administrators, and security personnel that the visiting computer had none of the malicious code items tested for. Additionally or alternatively, an identifier may be assigned to or associated with the visiting computer. The identifier may also be used to indicate whether the visiting computer is free of malicious code and/or not susceptible to malicious code attacks. Additionally, the identifier may indicate to enterprise network 42 that the visiting computer includes the most recently available system updates. In particular embodiments, the identifier may comprise a hardware serial number associated with the computer. For example, the identifier may correspond with the MAC address assigned to the computer. In still other embodiments, the identifier may include a digital certificate provided to the computer. If the visiting computer is used to try to gain access to enterprise network 42 or network elements 46, enterprise network 42 may query the visiting computer for the digital signature associated with the visiting computer when deciding whether to allow the visiting computer to access the enterprise network 42.
  • Where security verification station 44 is coupled to enterprise network 42 through a private or public connection, security verification station 44 may communicate the identifier to enterprise network 42. The identifier assigned to the visiting computer may be stored in a database 49 where it may be accessed to authenticate the visiting computer if the visiting computer is used to try to gain access to enterprise network 42. For example, if the visitor associated with a verified computer connects to enterprise network 42 to send a print job to a network element 46, enterprise network 42 may access database 49 to verify that an identifier is associated with the visiting computer. Alternatively, enterprise network 42 may compare the identifier stored on the computer alternatively with the identifier stored in database 49. The visiting computer may be given access to enterprise network 42 or denied access to enterprise network 42 as is appropriate based on the identifier. Alternatively, database 49 could be omitted and an identifier verified by a different means. For example, where a digital certificate is used, the certificate could be analyzed to determine whether it is valid or not.
  • As described above, security verification station 44 may be located at an access point to an enterprise facility. In particular embodiments, security verification station 44 may comprise a kiosk located at an access point, which may include a reception or security area. FIG. 3 illustrates an example kiosk 50 for performing security verification tests on a computer in accordance with the present invention. Before a visitor to an enterprise facility is allowed to enter the restricted area (or before the visitor can connect his computer to enterprise network 42), the visitor may be directed to use kiosk 50 to perform one or more security verification tests as described above.
  • Kiosk 50 includes a communication module 52 that may be used to communicate with a visiting computer. In particular embodiments, communication module 52 includes a port that may be used to couple to an associated port of a visiting computer. In other embodiments, communication module 52 may include a wireless router or other wireless access point for wirelessly communicating with a visiting computer. For example, communication module may include an antenna through which a communication path may be established with the computer. To perform the security verification tests on the visitor's computer, the visitor may be required to boot up or otherwise power on the computer. To this end, kiosk 50 may also include an outlet 54 (or cord) for providing electrical current to the visiting computer. Accordingly, a port or cord associated with the visiting computer may be coupled to outlet 54 so that the visiting computer may be powered up for the security verification tests.
  • In particular embodiments, kiosk 50 may also include a processor 55 with the software and/or hardware necessary for performing one or more security verification tests. The security verification tests may be substantially like those described above with regard to FIG. 1. For example, kiosk 50 may perform one or more antivirus scans, security patch analyses, and/or security practice assessments on a visiting computer. Where kiosk 50 includes the software and hardware for performing the security verification tests, kiosk 50 may comprise a stand alone system that operates independently of enterprise network 42. The isolation of kiosk 50 from enterprise network 42 may further prevent the spreading of malicious code to enterprise network 42 from the visiting computer being tested by kiosk 50.
  • In particular embodiments, kiosk 50 may be coupled to enterprise network 42 through gateway server 48. Kiosk 50 may have selective access to enterprise network 42 through gateway server 48 over a direct connection, a private network, or a public network, such as the Internet. In such a system, the software for performing the antivirus scans, security patch analyses, security practices assessments, or other security verification tests may be stored on kiosk 50 or on enterprise network 42. The software may be stored in database 49 or another server or storage unit in enterprise network 42. Accordingly, for the purposes of performing the security verification tests on a visiting computer, kiosk 50 may be given limited access to enterprise network 42. To prevent the spreading of malicious code from the visiting computer being tested, however, kiosk 50 may be at least partially isolated from enterprise network 42. For example, gateway server 44 may allow selective communications between kiosk 50 and enterprise network 42. Where kiosk 50 associates an identifier with a visiting computer after the tests have been performed, kiosk 50 may, in some embodiments, communicate the identifier to enterprise network 42. The identifier may be stored in database 49 or another server or storage unit in enterprise network 42 and may be referenced by enterprise network 42 to determine whether to allow the visiting computer to access enterprise network 42. In other embodiments, the identifier may not be communicated because the information required to verify the identifier is contained with the identifier or is part of the identifier.
  • Kiosk 50 may also includes a display 56 to provide information to the visitor as the various security verification tests are being performed on the visitor's computer. For example, as illustrated, kiosk 50 includes a progress display 58 and a pass/fail indicator 60. Progress display 58 indicates to the visitor that kiosk 50 is in the process of performing security verification tests on the visitor's computer. For example, progress display 58 may include a light that is lit when the security verification tests are being performed. After the tests are completed, the light may turn off to indicate to the user that the computer may be safely removed from kiosk 50. As a result, the visitor may be discouraged from prematurely removing the computer from kiosk 50. Thus, damage to the computer and kiosk 50 may be prevented. Display 56 may also include a pass/fail indicator 60 to indicate to the user that the security verification tests are completed. Pass/fail indicator 60 may also indicate to the user whether the security verification tests discovered any corrupted files, corrupted systems, or other security vulnerabilities on the visitor's computer. For example, pass/fail indicator 60 may be illuminated with a red light when malicious code items are identified on the tested computer. Similarly, pass/fail indicator 60 may be illuminated green when kiosk 50 does not detect any malicious code on the computer. Thus, pass/fail indicator 60 may indicate to the user that one or more files or systems are corrupted or, alternatively, that the computer is clean.
  • In addition to or as an alternate to progress display 58 and pass/fail indicator 60, kiosk 50 may include a graphical interface display that may be used to present options or messages to the visitor. As still another alternative, kiosk 50 may communicate messages to the visitor's computer and the messages may be displayed directly on the graphical interface screen of the computer being tested.
  • In the illustrated embodiment, kiosk 50 also includes a printing module 62. Printing module 62 may be operable to generate a printed label that may be used to identify the tested computer and to indicate the result of the security verification tests to enterprise personnel. The printed label may be provided to the visitor or to security personnel operating kiosk 50 through a slot 64. For example, if it is determined from the antivirus scans, security patch analyses, security practices assessments, or other security verification tests that the tested computer is free of malicious code items and is not vulnerable to malicious code attacks, a pass label may be printed and supplied to the user of kiosk 50 through slot 64. The pass label may be adhered to the visitor or the visitor's computer to indicate to enterprise employees, administrators, and security personnel that the computer is clean and may be granted access to enterprise network 42 and network elements 46 within enterprise network 42.
  • On the other hand, printer module 62 may also operate to generate a fail label where it is determined that the tested computer is not free of malicious worms and viruses or is vulnerable to malicious code execution. The fail label may also be provided to the visitor or security personnel operating kiosk 50 through slot 64. The printed fail label may be applied to the visitor or the visitor's computer to indicate to enterprise employees, administrators, and security personnel that the computer is not clean and should not be granted access to enterprise network 42.
  • In particular embodiments, the fail label may be adapted to be adhered to one or more ports of the tested computer. The label may be used to cover the one or more ports of the visitor's computer to indicate to the visitor and to employees, administrators, and security personnel of enterprise network 42 that the ports should not be used. Where kiosk 50 is associated with a security or reception desk of an enterprise facility, security personnel may also take the computer from the visitor and hold the computer for safe keeping until the visitor is ready to leave the enterprise facility. Alternatively, the security personnel may receive notice from kiosk 50 that the visitor's computer has failed one or more security verification tests, and the security personnel may couple a plug, lock, or other physical impediment to the one or more ports of the visiting computer to prevent or deter the visitor from accessing enterprise network 42 once inside the facility.
  • The printing module 62 may also be separate from kiosk 50 without departing from the scope of the invention. For example, printing module 62 could be located behind a reception or security desk without departing from the scope of the invention.
  • In the illustrated embodiment, kiosk 50 also includes a billing module 66. As will be described in more detail below with regard to FIGS. 4 and 5, billing module 66 may be used to obtain and process payment information received from the user of kiosk 50 when the services offered by kiosk 50 are not free to the user. For example, in particular embodiments, kiosk 50 may offer remedial measures to the visitor of enterprise network 42 to fix or clean any corrupted files or systems identified on the visitor's computer before the visitor is granted access to enterprise network 42. Such remedial measures may include a software upgrade, the removal of corrupted files, the cleaning of corrupted files, or the application of required patches or upgrades. Before applying such remedial measures to the visitor's computer, however, billing module 66 may receive payment information from the visitor and authenticate the payment information where the payment information includes credit card information.
  • Although a kiosk is described for coupling to or communicating with the visiting computer, it is generally recognized that security verification station 44 may comprise any system for performing the described security verification tests. When security verification station 44 is used to safeguard an enterprise network 42, security verification station 44 may be incorporated into a security or reception desk. For example, security verification station 44 may merely comprise a port at the security or reception desk to which the visiting computer may be coupled. The port may be part of or coupled to a computer associated with the security or reception desk. As such, when a visitor enters an enterprise facility, security or other enterprise personnel may ask the visitor to couple the visitor's computer to the port at the security or reception desk. Alternatively, the security or other personnel may take the computer from the visitor to couple the computer to the port. In still other embodiments, where the computer and security verification station 44 are enabled for wireless communication, the security or reception desk may include a wireless router that may establish a communication path with the appropriate hardware of the visitor's computer without a physical coupling.
  • Although kiosk 50 is generally described as cooperating with an enterprise network 42 to safeguard the systems and files on enterprise network 42 from malicious code, it is generally recognized that kiosk 50 may operate independently of enterprise network 42. Accordingly, kiosk 50 may be sufficiently isolated from enterprise network 42 such that any corrupted files or systems discovered on the visitor's computer are also isolated from enterprise network 42. In other embodiments, kiosk 50 may have no association at all with an enterprise network. As such, kiosk 50 may include any stand-alone system for performing antivirus scans, security patch analyses, security practice assessments, or other security verification tests on a computer. For example, kiosk 50 may be located in an airport, internet cafe, shopping center, retail store, or any other public forum. Thus, and as will be described in more detail with regard to FIG. 5, kiosk 50 may be used to provide the general public with easy and comprehensive access to security verification tests. Thus, a user may include any member of the general public. As a result, any member of the general public may be able to identify, diagnose, and remedy malicious code items on the user's computer, and the general health of the individually owned computers may be more easily maintained.
  • Kiosk 50 may also be used to provide updates to software applications resident on a computer connected to kiosk 50. In a manner similar to operating system updates, kiosk 50 may check the computer to determine whether various software applications on the visitor's computer are a preferred version. The preferred version may be the most current version available or a version that is required by enterprise network 42 for security purposes. In other embodiments, the preferred version may be the version suggested or required by a provider of the software application. Where it is determined that the computer does not have the preferred version, at the option of the user, kiosk 50 may automatically update the software to the preferred version. Where a fee is charged for such an upgrade, kiosk 50 may collect the fee in the manner described herein.
  • FIG. 4 illustrates a flow chart describing an example method for restricting access to enterprise network 42 in accordance with the present invention. The method described herein may be carried out using computer software, as can any or all of the processes described herein. That software may be executed by security verification station 44, gateway server 48, network element 46, kiosk 50, computer 10, or any other computer or combination of computers.
  • In step 100, a security verification station 44 is provided. In particular embodiments, the security verification station 44 may be provided at an enterprise access point. For example, security verification station 44 may comprise a kiosk 50 located at an entrance to an enterprise facility. The kiosk 50 may be proximate to a manned security or reception desk or may stand-alone independent of any security or reception desk. In other embodiments, security verification station 44 may comprise a computer associated with the manned security or reception desk.
  • As just one example, before entering an enterprise facility or a secured area within an enterprise facility, a visitor to the enterprise facility may be required to identify and check-in any computer equipment that the visitor desires to bring into the enterprise facility. Security personnel, reception personnel, or instructional signs may direct the visitor to security verification station 44 for performance of one or more security verification tests on the visitor's computer.
  • At step 102, communication between security verification station 44 and the visitor's computer is established. At step 104, a determination may be made as to whether the visitor's computer includes one or more malicious code items or whether the visitor's computer includes programs or configurations that leave the computer vulnerable to malicious code attacks by permitting execution of malicious code items. The determination may be made by performing an antivirus scan on the files stored on the visitor's computer to identify any files corrupted with viruses, worms or other malicious code. Additionally or alternatively, security patch analyses may be performed (in the manner described above) on the visitor's computer to determine whether the computer's operating and other systems are running using the most up to date code. In addition to determining whether the visitor's computer needs one or more patches, kiosk 50 may query the computer to determine whether the computer employs any unsafe security practices, as described above. The security practice assessment may be performed in conjunction with the security patch analyses or may be performed alternatively to the security patch analyses.
  • In the example described above, the security verification tests may be performed before the visitor is allowed to proceed into the restricted portions of the enterprise facility with the computer. Thus, the tests may deter the passing on of malicious code present on the visitor's computer to enterprise network 42. In another example, where kiosk 50 is operating independently of any enterprise network, the security verification tests may be performed to improve the general health of the tested computer and to prevent the spreading of malicious code to other computing devices and systems.
  • If it is determined that the tested computer does not have any of the malicious code items or vulnerabilities tested for, the method proceeds to step 106 where the fact that the computer is clean may be indicated to the visitor or other user. For example, where security verification station 44 comprises a kiosk 50, pass/fail indicator 60 may flash or display an appropriate color identifying that the tested computer does not contain worms, viruses, or other malicious code tested for. Pass/fail indicator 60 may also identify whether the tested computer has any programs or configurations that make the computer vulnerable to malicious code attacks. In particular embodiments, pass/fail indicator 60 may indicate whether or not the computer will be granted access to network elements 46 and other resources on an enterprise network 42. Where security verification station 44 is associated with a security or reception desk, personnel at the desk may inform the visitor of the results of the security verification tests.
  • Where security verification station 44 is associated with an enterprise network 42, the computer may be identified as clean or uncorrupted to enterprise network 42 at step 108. In particular embodiments, kiosk 50 or a printer associated with a security or reception desk proximate to security verification station 44 may print a label that may be adhered to the visitor's computer or to the visitor. The label may indicate to enterprise employees, administrators, and security personnel that the tested computer is authorized to access network elements 46 or other resources on enterprise network 42. Additionally or alternatively, an identifier may be assigned to or otherwise associated with the visitor's computer. In particular embodiments, the identifier may be stored in database 49 associated with enterprise network 42, or a digital certificate may be provided to the visitor's computer.
  • At step 110, the visitor may be given access to the enterprise facility. For example, the visitor may be allowed to take the tested computer into the enterprise facility or into restricted areas of the enterprise facility. Thereafter, if the visitor tries to access network elements 46, or other resources on enterprise network 42, access may be granted to the visitor and/or the tested computer. For example, the stored identifier may be referenced for determining that access to enterprise network 42 may be granted. Alternatively, enterprise network 42 may query the visitor's computer for a digital certificate stored on the computer.
  • If it is instead determined at step 104, however, that the tested computer is corrupted with malicious code or includes vulnerable programs, systems, or configurations, the method may proceed to step 112 where the fact that the computer includes corrupted files or systems may be indicated to the visitor. For example, where security verification station 44 includes a kiosk 50, pass/fail indicator 60 may flash or display an appropriate color identifying that a problem has been identified with the visitor's computer. Where security verification station 44 is associated with enterprise network 42, personnel at a security or reception desk may additionally or alternatively inform the visitor that a problem exists on the tested computer.
  • At step 114, the computer may be identified as including corrupted files or systems to enterprise network 42. For example, an identifier may be assigned to the visitor's computer, and the identifier stored in database 49 associated with enterprise network 42. If the visitor tries to access enterprise network 42 after being granted access to the enterprise facility, the stored identifier may be referenced for determining whether to allow the visitor's computer to access enterprise network 42. In certain other embodiments, security personnel may be notified of the corrupted nature of the visitor's computer and the computer may be held by the security personnel while the visitor is in the enterprise facility.
  • In certain embodiments, remedial measures may be offered to the visitor at step 116 (which could occur earlier or later). For example, kiosk 50 or security personnel associated with enterprise network 42 may offer a software upgrade or other fix to the visitor or user. The upgrade or other fix may include the removal of the corrupted files or the application of patches or upgrades to the computer's systems. In some embodiments, where security practices are examined, certain settings may be made such that security practices are acceptable to the operator of enterprise network 42. In either case, the visitor may be given the option of having these changes made. If the visitor or user desires remedial measures to be taken to repair the computer's files or systems, the method proceeds to step 118 where payment information may be obtained if the remedial measures are not free to the visitor or user. Accordingly, kiosk 50 or the security desk associated with the enterprise facility may have equipment for obtaining credit information or other payment information from the visitor. The equipment may also be capable of authenticating credit information received from the visitor or user. For example, the credit information may be authenticated at step 120 and remedial measures taken at step 122. The remedial measures taken may include the removal or cleaning of the one or more corrupted files from the visitor's computer. Alternatively or additionally, the remedial measures may include the patching of a corrupted system with clean code or the updating of software to a more current version. After the remedial measures are complete, the method may then continue at step 110 where the visiting computer is allowed access to enterprise network 42. The method may then terminate.
  • Although the steps of offering and applying remedial measures are described above, it is generally recognized that steps 116-122 may be omitted from the security verification process. Thus, the system described may be used merely to identify corrupted files and systems. Where such remedial measures are not offered or are not accepted by the visitor and the computer is identified as having a malicious code or virus or as being vulnerable to malicious codes or viruses, however, the visiting computer may be denied access (in any of the ways described above) to enterprise network 42 at step 124.
  • FIG. 5 illustrates a flow chart describing an example method for performing security verification tests on a computer in accordance with the present invention. The method described herein may be carried out using computer software, as can any or all of the processes described herein. That software may be executed by security verification station 44, gateway server 48, network element 46, kiosk 50, computer 10, or any other computer or combination of computers. The method of FIG. 5 can also be used to upgrade software applications to a preferred version. The preferred version may be that which is most recently available, that which is required by an enterprise network 42, or that which is required or suggested by a provider of the software application.
  • At step 200, a kiosk 50 is provided in a public location. For example, kiosk 50 may be located in an airport, shopping center, retail establishment, or other public forum. In such embodiments, kiosk 50 may be used to perform various security verification tests on the user's computer. Thus, kiosk 50 may be used to perform security patch analyses to verify that the applications and/or systems on the user's computer have been installed with the latest software upgrades or security patches. Additionally, kiosk 50 may be used to perform antivirus scans to identify, detect, and, in some cases, remedy any files or systems that are corrupted with viruses, worms, or other malicious code. Kiosk 50 may also be used to perform security practice assessments to determine whether any systems on the computer employ unsafe security practices.
  • As just one example, a user waiting for an airplane at an airport might desire to upgrade his computer's operating system. The user might desire to download the latest security patches for the computer's Microsoft Windows operating system. The user might also wish to scan various files and emails stored on the computer to determine if any of the files or emails are corrupted. In other embodiments, kiosk 50 may be located at an access point to an enterprise facility. In such embodiments, kiosk 50 may perform security verification tests similar to those described above in an effort to restrict a user's access to an enterprise network 42.
  • At step 202, communication between kiosk 50 and a user's computer is established. In particular embodiments, kiosk 50 may include a port or other connectable device that may be coupled to a port of the user's computer. Alternatively, where the user's computer is enabled for wireless communication, kiosk 50 may include a wireless router (or other wireless connection) for establishing a wireless communication path with appropriate hardware and software of the user's computer.
  • At step 204, kiosk 50 may display one or more security verification options to the user. The options may be displayed on display 56 or on the graphical interface screen of the user's computer. The displayed options may include a variety of security verification tests (or other tests) from which the user may choose. In particular embodiments, the options may include security patch analyses, software installments or upgrades, antivirus scans, security practices assessments, and any other processes for improving the security and health of the user's computer. Although kiosk 50 may offer all of these options to the user, it is recognized that kiosk 50 may offer any one of these or other security verification tests and may offer any combination of the same.
  • At step 206, payment information may be received and processed. Accordingly, kiosk 50 may have equipment for obtaining and processing credit card information or other payment information (e.g., debit card, ATM card, or smart card information) from the user. For example, kiosk 50 may have a credit card swipe or slot that reads payment information from the user's credit card. The kiosk 50 may then be capable of authenticating the credit card information over a telephone line, public network, or private network to verify that payment has been obtained. The payment step could occur later without departing from the scope of the invention.
  • At step 208, the computer's systems and files are scanned. As a result of the scan, a determination may be made, at step 210, as to whether the user's computer needs one or more security or file patches. To this end, kiosk 50 may perform a security patch analysis (or current software version analysis) by scanning and analyzing the operating or other systems or applications on the user's computer. The scan may be performed to determine if the computer has the preferred software. The security patch analysis may be performed by querying the computer's operating system for specific information about the version of the software supporting the operating system. Additionally or alternatively, kiosk 50 may query the computer's operating system to identify a time stamp or date stamp that is associated with the software supporting the operating system. In other embodiments, the operating system may accept commands eliciting information about what patches are installed. Accordingly, the operating system may respond to such commands by providing kiosk 50 with a list of the patches installed. Similar functionality may be provided for various software applications. This step could also include a scan for malicious code and/or remedying of a malicious code issue with any of the options described above.
  • In addition to determining whether the user's computer needs one or more patches, kiosk 50 may query the computer to determine whether the computer employs any unsafe security practices as described above.
  • If the security verification tests performed at step 210 indicate that the user's computer does not need a security patch, this is indicated to the user at step 212. The indication to the user may be made using pass/fail indicator 60 or by displaying a message to the user on display 56 or the graphical interface screen of the user's computer. On the other hand, if the security verification tests performed at step 210 indicate that the user's computer needs a security patch, this need is indicated to the user at step 214. The indication may also be made using pass/fail indicator 60, display 56, or the graphical interface screen of the user's computer.
  • At step 216, the necessary patches are applied to the computer's systems or files. For example, where kiosk 50 has determined that a file supporting the operating system is outdated, the outdated file or portion of code may be replaced with a newer version. At step 218, a determination may be made as to whether the visitor's computer includes one or more malicious code items. The determination may be made by performing an antivirus scan on the files stored on the user's computer to identify malicious code items associated with the files. Where present, the malicious code items may indicate that one or more files on the user's computer are corrupted with a virus, worm, or other malicious code. The performance of the antivirus scan may improve the general health of the user's computer and deter the spread of malicious code to other computing devices and systems. The malicious code scan could be performed before the scan of step 208 or in conjunction therewith without departing from the scope of the invention.
  • If it is determined that the user's computer is not corrupted with malicious code items, the method proceeds to step 220 where the fact that the computer is clean may be indicated to the user. For example, pass/fail indicator 60 may flash or display an appropriate color identifying that the tested computer is free of worms, viruses, and other malicious code. Alternatively or additionally, the message may be conveyed to the user on display 56 or the graphical interface screen of the user's computer. If the antivirus scan performed at step 216 indicates that the user's computer has one or more malicious code items, however, the fact that the computer includes corrupted files is indicated to the user at step 222. For example, pass/fail indicator 60 may flash or display an appropriate color identifying that a problem has been identified with the tested computer. Alternatively or additionally, the message may be conveyed to the user on display 56 or the graphical interface screen of the user's computer.
  • At step 224, remedial measures may be applied to the user's computer if the user selected that option at step 204 For example, kiosk 50 may remove the one or more corrupted files from the visitor's computer. Alternatively, kiosk 50 may clean the one or more corrupted files by removing the malicious code items. Although the steps of offering and applying remedial measures are described, it is generally recognized that step 224 may be omitted. Thus, the method may merely include the identification of corrupted files and systems. Where such remedial measures are not offered or are not accepted by the visitor and the computer is identified as having a malicious code or virus, however, the user may utilize other remedial systems to repair the corrupted files or systems.
  • At step 226, a determination is made as to whether a preferred antivirus software is installed on the computer. In particular embodiments, a scan of the computer's programs and systems may be performed to determine whether antivirus software is installed on the computer. Where such a program is identified, version information associated with the antivirus software may be obtained to determine if the software is a preferred antivirus software. The version information may be compared with version information associated with the latest version available or a preferred version.
  • Where preferred version is identified as already being installed on the computer, a further determination may be made to identify whether the virus information associated with the preferred version is up to date. Because viruses and other malicious code typically have a short lifespan before they are discovered and can be adequately guarded against, antivirus applications typically include signature files or .dat files that identify the viruses and other malicious code for which the antivirus application will search on a computer. As new malicious codes are identified as being in circulation, the signature files and .dat files associated with antivirus applications must be updated to include the new malicious codes. Accordingly, step 226 may include the performance of an updating procedure for the signature and .dat files on the tested computer.
  • If it is determined that the user's computer includes updated antivirus software, the method proceeds to step 228 where the fact that the computer's systems are up to date may be indicated to the user. For example, pass/fail indicator 60 may flash or display an appropriate color identifying that the tested computer includes the preferred antivirus software. Alternatively or additionally, the message may be conveyed to the user on display 56 or the graphical interface screen of the user's computer. If it is determined at step 226 that the user's computer does not include the preferred antivirus software, however, the fact that the computer is deficient is indicated to the user at step 230. For example, pass/fail indicator 60 may flash or display an appropriate color identifying that a problem has been identified with the tested computer. Alternatively or additionally, the message may be conveyed to the user on display 56 or the graphical interface screen of the user's computer.
  • At step 232, remedial measures may be applied to the user's computer if the user selected that option at step 204 For example, where the user's computer is identified as not having the preferred antivirus software stored on the computer, kiosk 50 may install the preferred antivirus software program on the computer. Alternatively, where the user's computer is identified as having an outdated version of the preferred antivirus software, kiosk 50 may apply one or more patches or upgrades to the computer's existing antivirus software.
  • In particular embodiments, the programs and system patches stored in kiosk 50 may be periodically updated at step 234. Similarly, the viruses known to the antivirus scan may be periodically updated such that kiosk 50 may diagnose and remedy recently released viruses, worms, and other malicious code. For example, the signature files or .dat files identifying harmful malicious codes that are searched for by the kiosk's antivirus software application may be updated or replaced. To receive such an update, kiosk 50 may communicate with a public network such as the Internet to download the latest versions of antivirus software, security patches, and information about the latest viruses, worms, and other malicious code. In other embodiments, a hard drive or other memory or database may be updated manually. Thus, the hard drive with kiosk 50 may be replaced, or new files may be saved to the system. As a result of the periodic updating, kiosk 50 may be able to clean or protect a computer from the latest version of malicious code that is being used to interfere with the normal operation of computing systems. Additionally, and in particular embodiments, kiosk 50 may be able to offer the latest antivirus software available for downloading to the computer.
  • Although the present invention has been described in detail, it should be understood that various changes, substitutions and alterations can be made hereto without departing from the sphere and scope of the invention as defined by the appended claims. For example, the steps described with regard to FIGS. 4 and 5 are merely provided as example methods for performing the functionality described. It is recognized that the methods may be performed using any combination of the steps described together with any other appropriate steps for restricting access to an enterprise network or maintaining the general health of a computing system. Furthermore, it is recognized that the steps may be performed in any order without departing from the intended scope of the invention.
  • To aid the Patent Office, and any readers of any patent issued on this application in interpreting the claims appended hereto, applicants wish to note that they do not intend any of the appended claims to invoke ¶ 6 of 35 U.S.C. § 112 as it exists on the date of filing hereof unless “means for” or “step for” are used in the particular claim.

Claims (29)

1. A method for updating the version of software resident on a computer comprising:
providing a kiosk in a public place;
establishing a communication path between the kiosk and a computer to be tested; and
determining, using the kiosk, whether at least one program resident on the computer is a preferred version.
2. The method of claim 1, wherein establishing the communication path between the kiosk and the computer comprises coupling a port of the kiosk to a port of the computer.
3. The method of claim 1, wherein establishing the communication path between the kiosk and the computer comprises establishing a wireless communication path between the kiosk and the computer.
4. The method of claim 1, further comprising indicating to a user that the at least one program is not the preferred version if it is determined that the at least one program is not a latest version available.
5. The method of claim 1, further comprising indicating to a user that the at least one program is current if it is determined that the at least one program is the preferred version.
6. The method of claim 1, further comprising presenting one or more options to the user.
7. The method of claim 6, further comprising receiving from the user a selection of the one or more options, the selection comprising directions causing the processor to perform an antivirus scan, software upgrade analysis, security practice assessment analysis, or a security patch analysis.
8. The method of claim 1, further comprising applying a patch to code associated with the at least one program if it is determined that the at least one program is not the preferred version, the patch replacing a portion of the code.
9. The method of claim 1, further comprising:
receiving version information associated with the at least one program; and
comparing the version information to information associated with the preferred version.
10. The method of claim 1, further comprising receiving payment information from a user before scanning the at least one program resident on the computer.
11. The method of claim 1, further comprising determining whether the computer has one or more malicious code items.
12. The method of claim 11, further comprising removing a file associated with the one or more malicious code items from the computer if it is determined that the computer has the one or more malicious code items.
13. The method of claim 1, further comprising receiving payment information from a user if it is determined that the at least one program is not the preferred version.
14. The method of claim 1, wherein providing the kiosk in a public place comprises placing the kiosk in an airport, train station, office building, bus station, shopping center, or retail business.
15. A kiosk for testing the security of a computer comprising:
a communication link operable to establish a communication path between the kiosk and a computer to be tested;
computer software operable to communicate with the computer to be tested through the communication link and further operable to:
scan at least one program resident on the computer; and
determine whether the at least one program resident on the computer is a preferred version; and
wherein the kiosk is located in a public place.
16. The kiosk of claim 15, wherein the communication link comprises a port operable to physically couple to a port of the computer.
17. The kiosk of claim 15, wherein the communication link comprises a wireless communication path between the computer and the processor.
18. The kiosk of claim 15, wherein the kiosk further comprises a display coupled to the processor.
19. The kiosk of claim 18, wherein the display is operable to indicate to a user that the at least one program is not the preferred version if it is determined that the at least one program is not a latest version available.
20. The kiosk of claim 18, wherein the display is operable to indicate to a user that the at least one program is current if it is determined that the at least one program is the preferred version.
21. The kiosk of claim 18, wherein the display is further operable to present one or more options to the user.
22. The kiosk of claim 21, wherein the one or more options are selectable by the user, the one or more options comprising directions causing the processor to perform an antivirus scan, software upgrade analysis, security practice assessment, or a security patch analysis.
23. The kiosk of claim 15, wherein the processor is further operable to apply a patch to code associated with the at least one program if it is determined that the at least one program is not the preferred version, the patch replacing a portion of the code.
24. The kiosk of claim 15, wherein the processor is further operable to
receive version information associated with the at least one program; and
compare the version information to information associated with the preferred version.
25. The kiosk of claim 15, wherein the processor is operable to receive payment information from a user before scanning the at least one program resident on the computer.
26. The kiosk of claim 15, wherein the processor is further operable to determine whether the computer has one or more malicious code items.
27. The kiosk of claim 26, wherein the processor is further operable to remove a file associated with the one or more malicious code items from the computer if it is determined that the computer has one or more malicious code items.
28. The kiosk of claim 26, wherein the processor is operable to receive payment information from a user if it is determined that the at least one program is not the preferred version.
29. The kiosk of claim 15, wherein the public place comprises an airport, train station, office building, bus station, shopping center, or retail business.
US10/903,257 2004-07-30 2004-07-30 System and method for updating software on a computer Active 2026-11-26 US8146072B2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
US10/903,257 US8146072B2 (en) 2004-07-30 2004-07-30 System and method for updating software on a computer
EP05769551.2A EP1779242B1 (en) 2004-07-30 2005-07-08 System and method for updating software on a computer
CA002575157A CA2575157A1 (en) 2004-07-30 2005-07-08 System and method for updating software on a computer
AU2005275256A AU2005275256A1 (en) 2004-07-30 2005-07-08 System and method for updating software on a computer
PCT/US2005/024629 WO2006019718A2 (en) 2004-07-30 2005-07-08 System and method for updating software on a computer

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/903,257 US8146072B2 (en) 2004-07-30 2004-07-30 System and method for updating software on a computer

Publications (2)

Publication Number Publication Date
US20060026283A1 true US20060026283A1 (en) 2006-02-02
US8146072B2 US8146072B2 (en) 2012-03-27

Family

ID=35733687

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/903,257 Active 2026-11-26 US8146072B2 (en) 2004-07-30 2004-07-30 System and method for updating software on a computer

Country Status (5)

Country Link
US (1) US8146072B2 (en)
EP (1) EP1779242B1 (en)
AU (1) AU2005275256A1 (en)
CA (1) CA2575157A1 (en)
WO (1) WO2006019718A2 (en)

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020099794A1 (en) * 2000-11-22 2002-07-25 Lockheed Martin Corporation Method and system for processing a visitor request over an intranet
US20060026686A1 (en) * 2004-07-30 2006-02-02 Trueba Luis R Z System and method for restricting access to an enterprise network
US20060195904A1 (en) * 2005-02-28 2006-08-31 Williams Larry L Data storage device with code scanning capabilty
US20070073735A1 (en) * 2005-09-22 2007-03-29 Stuart Clarke Repair of network communication files
US20070112891A1 (en) * 2005-11-14 2007-05-17 Apple Computer, Inc. Converting file-systems that organize and store data for computing systems
US20080010246A1 (en) * 2006-07-06 2008-01-10 Curtis Bryce A System and method for providing operating system component version verification
US20080072050A1 (en) * 2006-09-15 2008-03-20 Sun Microsystems, Inc. Systems and methods for using an access point for testing multiple devices and using several consoles
US20100210240A1 (en) * 2009-02-17 2010-08-19 Flexilis, Inc. System and method for remotely securing or recovering a mobile device
US20110047620A1 (en) * 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for server-coupled malware prevention
US20110047033A1 (en) * 2009-02-17 2011-02-24 Lookout, Inc. System and method for mobile device replacement
US20110060945A1 (en) * 2009-09-08 2011-03-10 Softthinks Sas Smart repair of computer systems
US20110119765A1 (en) * 2009-11-18 2011-05-19 Flexilis, Inc. System and method for identifying and assessing vulnerabilities on a mobile communication device
US20110145920A1 (en) * 2008-10-21 2011-06-16 Lookout, Inc System and method for adverse mobile application identification
US20110289231A1 (en) * 2010-05-21 2011-11-24 Siemens Aktiengesellschaft Plug-in Connector System for Protected Establishment of a Network Connection
US8365252B2 (en) 2008-10-21 2013-01-29 Lookout, Inc. Providing access levels to services based on mobile device security state
US8381303B2 (en) 2008-10-21 2013-02-19 Kevin Patrick Mahaffey System and method for attack and malware prevention
US8505095B2 (en) 2008-10-21 2013-08-06 Lookout, Inc. System and method for monitoring and analyzing multiple interfaces and multiple protocols
US8510843B2 (en) 2008-10-21 2013-08-13 Lookout, Inc. Security status and information display system
US8533844B2 (en) 2008-10-21 2013-09-10 Lookout, Inc. System and method for security data collection and analysis
US8655307B1 (en) 2012-10-26 2014-02-18 Lookout, Inc. System and method for developing, updating, and using user device behavioral context models to modify user, device, and application state, settings and behavior for enhanced user security
US20140130168A1 (en) * 2011-10-07 2014-05-08 Imation Corp. Antivirus system and method for removable media devices
US8738765B2 (en) 2011-06-14 2014-05-27 Lookout, Inc. Mobile device DNS optimization
US8788881B2 (en) 2011-08-17 2014-07-22 Lookout, Inc. System and method for mobile device push communications
US8855601B2 (en) 2009-02-17 2014-10-07 Lookout, Inc. System and method for remotely-initiated audio communication
US8855599B2 (en) 2012-12-31 2014-10-07 Lookout, Inc. Method and apparatus for auxiliary communications with mobile communications device
US9043919B2 (en) 2008-10-21 2015-05-26 Lookout, Inc. Crawling multiple markets and correlating
US9042876B2 (en) 2009-02-17 2015-05-26 Lookout, Inc. System and method for uploading location information based on device movement
US9158923B2 (en) 2013-01-23 2015-10-13 International Business Machines Corporation Mitigating security risks via code movement
US9208215B2 (en) 2012-12-27 2015-12-08 Lookout, Inc. User classification based on data gathered from a computing device
US9215074B2 (en) 2012-06-05 2015-12-15 Lookout, Inc. Expressing intent to control behavior of application components
US9235704B2 (en) 2008-10-21 2016-01-12 Lookout, Inc. System and method for a scanning API
US9367680B2 (en) 2008-10-21 2016-06-14 Lookout, Inc. System and method for mobile communication device application advisement
US9374369B2 (en) 2012-12-28 2016-06-21 Lookout, Inc. Multi-factor authentication and comprehensive login system for client-server networks
US9424409B2 (en) 2013-01-10 2016-08-23 Lookout, Inc. Method and system for protecting privacy and enhancing security on an electronic device
US9472031B2 (en) * 2014-10-30 2016-10-18 Olivier Pouille Security kiosk and system and method of controlling access using thereof
US9589129B2 (en) 2012-06-05 2017-03-07 Lookout, Inc. Determining source of side-loaded software
CN106487580A (en) * 2016-09-18 2017-03-08 安徽爱她有果电子商务有限公司 A kind of array distributed computer parallel upgrade method of multimachine
US9642008B2 (en) 2013-10-25 2017-05-02 Lookout, Inc. System and method for creating and assigning a policy for a mobile communications device based on personal data
US20170228545A1 (en) * 2012-06-07 2017-08-10 Beijing Qihoo Technology Company Limited Apparatus and Method for Displaying Computer Health Index
US9753796B2 (en) 2013-12-06 2017-09-05 Lookout, Inc. Distributed monitoring, evaluation, and response for multiple devices
US9779253B2 (en) 2008-10-21 2017-10-03 Lookout, Inc. Methods and systems for sharing risk responses to improve the functioning of mobile communications devices
US9955352B2 (en) 2009-02-17 2018-04-24 Lookout, Inc. Methods and systems for addressing mobile communications devices that are lost or stolen but not yet reported as such
US10122747B2 (en) 2013-12-06 2018-11-06 Lookout, Inc. Response generation after distributed monitoring and evaluation of multiple devices
US10218697B2 (en) 2017-06-09 2019-02-26 Lookout, Inc. Use of device risk evaluation to manage access to services
US10540494B2 (en) 2015-05-01 2020-01-21 Lookout, Inc. Determining source of side-loaded software using an administrator server
US20210004470A1 (en) * 2018-05-21 2021-01-07 Google Llc Automatic Generation Of Patches For Security Violations

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101075676B1 (en) * 2004-11-20 2011-10-21 삼성전자주식회사 Software download apparatus and method for mobile terminal equipment
US8255896B2 (en) * 2008-04-01 2012-08-28 Honeywell International Inc. Network software normalization and installation in a fire detection system
US8402452B2 (en) * 2009-04-02 2013-03-19 International Business Machines Corporation Automatically recommending an upgrade approach for a customizable software product
US8589904B2 (en) * 2009-08-10 2013-11-19 Symantec Corporation Systems and methods for updating a software product
CA2684225A1 (en) * 2009-10-30 2011-04-30 Ibm Canada Limited - Ibm Canada Limitee Selective delta validation of a shared artifact
US9171314B2 (en) * 2011-06-16 2015-10-27 Microsoft Technology Licensing, Llc Cloud based management of an in-store device experience
KR20200138363A (en) 2018-04-30 2020-12-09 휴렛-팩커드 디벨롭먼트 컴퍼니, 엘.피. Service kiosk device provisioning

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5845077A (en) * 1995-11-27 1998-12-01 Microsoft Corporation Method and system for identifying and obtaining computer software from a remote computer
US5949877A (en) * 1997-01-30 1999-09-07 Intel Corporation Content protection for transmission systems
US6058372A (en) * 1999-06-11 2000-05-02 Sweet; Stephen R. Interactive self-service hard drive copying system
US20020007456A1 (en) * 1999-03-27 2002-01-17 Marcus Peinado Secure processor architecture for use with a digital rights management (DRM) system on a computing device
US20030065926A1 (en) * 2001-07-30 2003-04-03 Schultz Matthew G. System and methods for detection of new malicious executables
US20030110094A1 (en) * 2002-07-25 2003-06-12 Sony Corporation System and method for wireless viral software distribution
US6609198B1 (en) * 1999-08-05 2003-08-19 Sun Microsystems, Inc. Log-on service providing credential level change without loss of session continuity
US20030163382A1 (en) * 2002-02-28 2003-08-28 Steve Stefanik Method and a system for computer software distribution using networked software dispensing vending machines
US20040006704A1 (en) * 2002-07-02 2004-01-08 Dahlstrom Dale A. System and method for determining security vulnerabilities
US20040064726A1 (en) * 2002-09-30 2004-04-01 Mario Girouard Vulnerability management and tracking system (VMTS)
US20040237079A1 (en) * 2000-03-24 2004-11-25 Networks Associates Technology, Inc. Virus detection system, method and computer program product for handheld computers
US20040249975A1 (en) * 2001-06-15 2004-12-09 Tuck Teo Wee Computer networks
US20050097199A1 (en) * 2003-10-10 2005-05-05 Keith Woodard Method and system for scanning network devices
US6892241B2 (en) * 2001-09-28 2005-05-10 Networks Associates Technology, Inc. Anti-virus policy enforcement system and method
US20050210266A1 (en) * 2004-03-18 2005-09-22 Cottrell Andrew P Secure device connection and operation
US20050246522A1 (en) * 2004-04-30 2005-11-03 Microsoft Corporation Securing applications and operating systems
US20060026686A1 (en) * 2004-07-30 2006-02-02 Trueba Luis R Z System and method for restricting access to an enterprise network
US7000247B2 (en) * 2001-12-31 2006-02-14 Citadel Security Software, Inc. Automated computer vulnerability resolution system
US7257107B2 (en) * 2003-07-15 2007-08-14 Highwall Technologies, Llc Device and method for detecting unauthorized, “rogue” wireless LAN access points

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7162649B1 (en) 2000-06-30 2007-01-09 Internet Security Systems, Inc. Method and apparatus for network assessment and authentication

Patent Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5845077A (en) * 1995-11-27 1998-12-01 Microsoft Corporation Method and system for identifying and obtaining computer software from a remote computer
US5949877A (en) * 1997-01-30 1999-09-07 Intel Corporation Content protection for transmission systems
US20020007456A1 (en) * 1999-03-27 2002-01-17 Marcus Peinado Secure processor architecture for use with a digital rights management (DRM) system on a computing device
US6058372A (en) * 1999-06-11 2000-05-02 Sweet; Stephen R. Interactive self-service hard drive copying system
US6609198B1 (en) * 1999-08-05 2003-08-19 Sun Microsystems, Inc. Log-on service providing credential level change without loss of session continuity
US20040237079A1 (en) * 2000-03-24 2004-11-25 Networks Associates Technology, Inc. Virus detection system, method and computer program product for handheld computers
US20040249975A1 (en) * 2001-06-15 2004-12-09 Tuck Teo Wee Computer networks
US20030065926A1 (en) * 2001-07-30 2003-04-03 Schultz Matthew G. System and methods for detection of new malicious executables
US6892241B2 (en) * 2001-09-28 2005-05-10 Networks Associates Technology, Inc. Anti-virus policy enforcement system and method
US7000247B2 (en) * 2001-12-31 2006-02-14 Citadel Security Software, Inc. Automated computer vulnerability resolution system
US6959285B2 (en) * 2002-02-28 2005-10-25 Palmsource, Inc. Method and a system for computer software distribution using networked software dispensing vending machines
US20030163382A1 (en) * 2002-02-28 2003-08-28 Steve Stefanik Method and a system for computer software distribution using networked software dispensing vending machines
US20040006704A1 (en) * 2002-07-02 2004-01-08 Dahlstrom Dale A. System and method for determining security vulnerabilities
US20030110094A1 (en) * 2002-07-25 2003-06-12 Sony Corporation System and method for wireless viral software distribution
US20040064726A1 (en) * 2002-09-30 2004-04-01 Mario Girouard Vulnerability management and tracking system (VMTS)
US7257107B2 (en) * 2003-07-15 2007-08-14 Highwall Technologies, Llc Device and method for detecting unauthorized, “rogue” wireless LAN access points
US20050097199A1 (en) * 2003-10-10 2005-05-05 Keith Woodard Method and system for scanning network devices
US20050210266A1 (en) * 2004-03-18 2005-09-22 Cottrell Andrew P Secure device connection and operation
US20050246522A1 (en) * 2004-04-30 2005-11-03 Microsoft Corporation Securing applications and operating systems
US20060026686A1 (en) * 2004-07-30 2006-02-02 Trueba Luis R Z System and method for restricting access to an enterprise network

Cited By (116)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020099794A1 (en) * 2000-11-22 2002-07-25 Lockheed Martin Corporation Method and system for processing a visitor request over an intranet
US7441004B2 (en) * 2000-11-22 2008-10-21 Lockheed Martin Corporation Method and system for processing a visitor request over an intranet
US7509676B2 (en) 2004-07-30 2009-03-24 Electronic Data Systems Corporation System and method for restricting access to an enterprise network
US20060026686A1 (en) * 2004-07-30 2006-02-02 Trueba Luis R Z System and method for restricting access to an enterprise network
US8434152B2 (en) 2004-07-30 2013-04-30 Hewlett-Packard Development Company, L.P. System and method for restricting access to an enterprise network
US20090183233A1 (en) * 2004-07-30 2009-07-16 Electronic Data Systems Corporation System and Method for Restricting Access to an Enterprise Network
US20060195904A1 (en) * 2005-02-28 2006-08-31 Williams Larry L Data storage device with code scanning capabilty
US7743417B2 (en) * 2005-02-28 2010-06-22 Hitachi Global Storage Technologies Netherlands B.V. Data storage device with code scanning capability
US20070073735A1 (en) * 2005-09-22 2007-03-29 Stuart Clarke Repair of network communication files
US7730359B2 (en) * 2005-09-22 2010-06-01 At&T Intellectual Property I, L.P. Repair of network communication files
US20070112891A1 (en) * 2005-11-14 2007-05-17 Apple Computer, Inc. Converting file-systems that organize and store data for computing systems
US7836105B2 (en) * 2005-11-14 2010-11-16 Apple Inc. Converting file-systems that organize and store data for computing systems
US20080010246A1 (en) * 2006-07-06 2008-01-10 Curtis Bryce A System and method for providing operating system component version verification
US20080072050A1 (en) * 2006-09-15 2008-03-20 Sun Microsystems, Inc. Systems and methods for using an access point for testing multiple devices and using several consoles
US7979532B2 (en) * 2006-09-15 2011-07-12 Oracle America, Inc. Systems and methods for using an access point for testing multiple devices and using several consoles
US9860263B2 (en) 2008-10-21 2018-01-02 Lookout, Inc. System and method for assessing data objects on mobile communications devices
US8997181B2 (en) 2008-10-21 2015-03-31 Lookout, Inc. Assessing the security state of a mobile communications device
US11080407B2 (en) 2008-10-21 2021-08-03 Lookout, Inc. Methods and systems for analyzing data after initial analyses by known good and known bad security components
US20110145920A1 (en) * 2008-10-21 2011-06-16 Lookout, Inc System and method for adverse mobile application identification
US10509911B2 (en) 2008-10-21 2019-12-17 Lookout, Inc. Methods and systems for conditionally granting access to services based on the security state of the device requesting access
US10509910B2 (en) 2008-10-21 2019-12-17 Lookout, Inc. Methods and systems for granting access to services based on a security state that varies with the severity of security events
US8347386B2 (en) 2008-10-21 2013-01-01 Lookout, Inc. System and method for server-coupled malware prevention
US8365252B2 (en) 2008-10-21 2013-01-29 Lookout, Inc. Providing access levels to services based on mobile device security state
US8381303B2 (en) 2008-10-21 2013-02-19 Kevin Patrick Mahaffey System and method for attack and malware prevention
US10417432B2 (en) 2008-10-21 2019-09-17 Lookout, Inc. Methods and systems for blocking potentially harmful communications to improve the functioning of an electronic device
US20110047620A1 (en) * 2008-10-21 2011-02-24 Lookout, Inc., A California Corporation System and method for server-coupled malware prevention
US9996697B2 (en) 2008-10-21 2018-06-12 Lookout, Inc. Methods and systems for blocking the installation of an application to improve the functioning of a mobile communications device
US8505095B2 (en) 2008-10-21 2013-08-06 Lookout, Inc. System and method for monitoring and analyzing multiple interfaces and multiple protocols
US8510843B2 (en) 2008-10-21 2013-08-13 Lookout, Inc. Security status and information display system
US8533844B2 (en) 2008-10-21 2013-09-10 Lookout, Inc. System and method for security data collection and analysis
US9781148B2 (en) 2008-10-21 2017-10-03 Lookout, Inc. Methods and systems for sharing risk responses between collections of mobile communications devices
US8561144B2 (en) 2008-10-21 2013-10-15 Lookout, Inc. Enforcing security based on a security state assessment of a mobile device
US9779253B2 (en) 2008-10-21 2017-10-03 Lookout, Inc. Methods and systems for sharing risk responses to improve the functioning of mobile communications devices
US9740852B2 (en) 2008-10-21 2017-08-22 Lookout, Inc. System and method for assessing an application to be installed on a mobile communications device
US8683593B2 (en) 2008-10-21 2014-03-25 Lookout, Inc. Server-assisted analysis of data for a mobile device
US9407640B2 (en) 2008-10-21 2016-08-02 Lookout, Inc. Assessing a security state of a mobile communications device to determine access to specific tasks
US9367680B2 (en) 2008-10-21 2016-06-14 Lookout, Inc. System and method for mobile communication device application advisement
US9344431B2 (en) 2008-10-21 2016-05-17 Lookout, Inc. System and method for assessing an application based on data from multiple devices
US8745739B2 (en) 2008-10-21 2014-06-03 Lookout, Inc. System and method for server-coupled application re-analysis to obtain characterization assessment
US8752176B2 (en) 2008-10-21 2014-06-10 Lookout, Inc. System and method for server-coupled application re-analysis to obtain trust, distribution and ratings assessment
US9294500B2 (en) 2008-10-21 2016-03-22 Lookout, Inc. System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects
US9245119B2 (en) 2008-10-21 2016-01-26 Lookout, Inc. Security status assessment using mobile device security information database
US8826441B2 (en) 2008-10-21 2014-09-02 Lookout, Inc. Event-based security state assessment and display for mobile devices
US9235704B2 (en) 2008-10-21 2016-01-12 Lookout, Inc. System and method for a scanning API
US9223973B2 (en) 2008-10-21 2015-12-29 Lookout, Inc. System and method for attack and malware prevention
US9100389B2 (en) 2008-10-21 2015-08-04 Lookout, Inc. Assessing an application based on application data associated with the application
US9065846B2 (en) 2008-10-21 2015-06-23 Lookout, Inc. Analyzing data gathered through different protocols
US8875289B2 (en) 2008-10-21 2014-10-28 Lookout, Inc. System and method for preventing malware on a mobile communication device
US8881292B2 (en) 2008-10-21 2014-11-04 Lookout, Inc. Evaluating whether data is safe or malicious
US9043919B2 (en) 2008-10-21 2015-05-26 Lookout, Inc. Crawling multiple markets and correlating
US8984628B2 (en) 2008-10-21 2015-03-17 Lookout, Inc. System and method for adverse mobile application identification
US8774788B2 (en) 2009-02-17 2014-07-08 Lookout, Inc. Systems and methods for transmitting a communication based on a device leaving or entering an area
US9179434B2 (en) 2009-02-17 2015-11-03 Lookout, Inc. Systems and methods for locking and disabling a device in response to a request
US9042876B2 (en) 2009-02-17 2015-05-26 Lookout, Inc. System and method for uploading location information based on device movement
US8538815B2 (en) 2009-02-17 2013-09-17 Lookout, Inc. System and method for mobile device replacement
US9569643B2 (en) 2009-02-17 2017-02-14 Lookout, Inc. Method for detecting a security event on a portable electronic device and establishing audio transmission with a client computer
US9100925B2 (en) 2009-02-17 2015-08-04 Lookout, Inc. Systems and methods for displaying location information of a device
US8855601B2 (en) 2009-02-17 2014-10-07 Lookout, Inc. System and method for remotely-initiated audio communication
US8635109B2 (en) 2009-02-17 2014-01-21 Lookout, Inc. System and method for providing offers for mobile devices
US9167550B2 (en) 2009-02-17 2015-10-20 Lookout, Inc. Systems and methods for applying a security policy to a device based on location
US10419936B2 (en) 2009-02-17 2019-09-17 Lookout, Inc. Methods and systems for causing mobile communications devices to emit sounds with encoded information
US10623960B2 (en) 2009-02-17 2020-04-14 Lookout, Inc. Methods and systems for enhancing electronic device security by causing the device to go into a mode for lost or stolen devices
US20110047033A1 (en) * 2009-02-17 2011-02-24 Lookout, Inc. System and method for mobile device replacement
US20100210240A1 (en) * 2009-02-17 2010-08-19 Flexilis, Inc. System and method for remotely securing or recovering a mobile device
US9232491B2 (en) 2009-02-17 2016-01-05 Lookout, Inc. Mobile device geolocation
US8825007B2 (en) 2009-02-17 2014-09-02 Lookout, Inc. Systems and methods for applying a security policy to a device based on a comparison of locations
US8682400B2 (en) 2009-02-17 2014-03-25 Lookout, Inc. Systems and methods for device broadcast of location information when battery is low
US8467768B2 (en) 2009-02-17 2013-06-18 Lookout, Inc. System and method for remotely securing or recovering a mobile device
US8929874B2 (en) 2009-02-17 2015-01-06 Lookout, Inc. Systems and methods for remotely controlling a lost mobile communications device
US9955352B2 (en) 2009-02-17 2018-04-24 Lookout, Inc. Methods and systems for addressing mobile communications devices that are lost or stolen but not yet reported as such
US20110060945A1 (en) * 2009-09-08 2011-03-10 Softthinks Sas Smart repair of computer systems
USRE48669E1 (en) 2009-11-18 2021-08-03 Lookout, Inc. System and method for identifying and [assessing] remediating vulnerabilities on a mobile communications device
US8397301B2 (en) 2009-11-18 2013-03-12 Lookout, Inc. System and method for identifying and assessing vulnerabilities on a mobile communication device
USRE47757E1 (en) 2009-11-18 2019-12-03 Lookout, Inc. System and method for identifying and assessing vulnerabilities on a mobile communications device
USRE46768E1 (en) 2009-11-18 2018-03-27 Lookout, Inc. System and method for identifying and assessing vulnerabilities on a mobile communications device
US20110119765A1 (en) * 2009-11-18 2011-05-19 Flexilis, Inc. System and method for identifying and assessing vulnerabilities on a mobile communication device
USRE49634E1 (en) 2009-11-18 2023-08-29 Lookout, Inc. System and method for determining the risk of vulnerabilities on a mobile communications device
US20110289231A1 (en) * 2010-05-21 2011-11-24 Siemens Aktiengesellschaft Plug-in Connector System for Protected Establishment of a Network Connection
US8843641B2 (en) * 2010-05-21 2014-09-23 Siemens Aktiengesellschaft Plug-in connector system for protected establishment of a network connection
US9319292B2 (en) 2011-06-14 2016-04-19 Lookout, Inc. Client activity DNS optimization
US8738765B2 (en) 2011-06-14 2014-05-27 Lookout, Inc. Mobile device DNS optimization
US10181118B2 (en) 2011-08-17 2019-01-15 Lookout, Inc. Mobile communications device payment method utilizing location information
US8788881B2 (en) 2011-08-17 2014-07-22 Lookout, Inc. System and method for mobile device push communications
US9053321B2 (en) * 2011-10-07 2015-06-09 Imation Corp. Antivirus system and method for removable media devices
US20140130168A1 (en) * 2011-10-07 2014-05-08 Imation Corp. Antivirus system and method for removable media devices
US10419222B2 (en) 2012-06-05 2019-09-17 Lookout, Inc. Monitoring for fraudulent or harmful behavior in applications being installed on user devices
US9407443B2 (en) 2012-06-05 2016-08-02 Lookout, Inc. Component analysis of software applications on computing devices
US10256979B2 (en) 2012-06-05 2019-04-09 Lookout, Inc. Assessing application authenticity and performing an action in response to an evaluation result
US9215074B2 (en) 2012-06-05 2015-12-15 Lookout, Inc. Expressing intent to control behavior of application components
US9940454B2 (en) 2012-06-05 2018-04-10 Lookout, Inc. Determining source of side-loaded software using signature of authorship
US11336458B2 (en) 2012-06-05 2022-05-17 Lookout, Inc. Evaluating authenticity of applications based on assessing user device context for increased security
US9992025B2 (en) 2012-06-05 2018-06-05 Lookout, Inc. Monitoring installed applications on user devices
US9589129B2 (en) 2012-06-05 2017-03-07 Lookout, Inc. Determining source of side-loaded software
US10169590B2 (en) * 2012-06-07 2019-01-01 Beijing Qihoo Technology Company Limited Apparatus and method for displaying computer health index
US20170228545A1 (en) * 2012-06-07 2017-08-10 Beijing Qihoo Technology Company Limited Apparatus and Method for Displaying Computer Health Index
US9769749B2 (en) 2012-10-26 2017-09-19 Lookout, Inc. Modifying mobile device settings for resource conservation
US9408143B2 (en) 2012-10-26 2016-08-02 Lookout, Inc. System and method for using context models to control operation of a mobile communications device
US8655307B1 (en) 2012-10-26 2014-02-18 Lookout, Inc. System and method for developing, updating, and using user device behavioral context models to modify user, device, and application state, settings and behavior for enhanced user security
US9208215B2 (en) 2012-12-27 2015-12-08 Lookout, Inc. User classification based on data gathered from a computing device
US9374369B2 (en) 2012-12-28 2016-06-21 Lookout, Inc. Multi-factor authentication and comprehensive login system for client-server networks
US8855599B2 (en) 2012-12-31 2014-10-07 Lookout, Inc. Method and apparatus for auxiliary communications with mobile communications device
US9424409B2 (en) 2013-01-10 2016-08-23 Lookout, Inc. Method and system for protecting privacy and enhancing security on an electronic device
US9158923B2 (en) 2013-01-23 2015-10-13 International Business Machines Corporation Mitigating security risks via code movement
US10452862B2 (en) 2013-10-25 2019-10-22 Lookout, Inc. System and method for creating a policy for managing personal data on a mobile communications device
US9642008B2 (en) 2013-10-25 2017-05-02 Lookout, Inc. System and method for creating and assigning a policy for a mobile communications device based on personal data
US10990696B2 (en) 2013-10-25 2021-04-27 Lookout, Inc. Methods and systems for detecting attempts to access personal information on mobile communications devices
US10122747B2 (en) 2013-12-06 2018-11-06 Lookout, Inc. Response generation after distributed monitoring and evaluation of multiple devices
US10742676B2 (en) 2013-12-06 2020-08-11 Lookout, Inc. Distributed monitoring and evaluation of multiple devices
US9753796B2 (en) 2013-12-06 2017-09-05 Lookout, Inc. Distributed monitoring, evaluation, and response for multiple devices
US9472031B2 (en) * 2014-10-30 2016-10-18 Olivier Pouille Security kiosk and system and method of controlling access using thereof
US10540494B2 (en) 2015-05-01 2020-01-21 Lookout, Inc. Determining source of side-loaded software using an administrator server
US11259183B2 (en) 2015-05-01 2022-02-22 Lookout, Inc. Determining a security state designation for a computing device based on a source of software
CN106487580A (en) * 2016-09-18 2017-03-08 安徽爱她有果电子商务有限公司 A kind of array distributed computer parallel upgrade method of multimachine
US11038876B2 (en) 2017-06-09 2021-06-15 Lookout, Inc. Managing access to services based on fingerprint matching
US10218697B2 (en) 2017-06-09 2019-02-26 Lookout, Inc. Use of device risk evaluation to manage access to services
US20210004470A1 (en) * 2018-05-21 2021-01-07 Google Llc Automatic Generation Of Patches For Security Violations

Also Published As

Publication number Publication date
EP1779242B1 (en) 2017-05-10
WO2006019718A3 (en) 2006-06-08
AU2005275256A1 (en) 2006-02-23
US8146072B2 (en) 2012-03-27
WO2006019718A2 (en) 2006-02-23
EP1779242A2 (en) 2007-05-02
CA2575157A1 (en) 2006-02-23

Similar Documents

Publication Publication Date Title
US8146072B2 (en) System and method for updating software on a computer
US8434152B2 (en) System and method for restricting access to an enterprise network
US10313350B2 (en) Remote access to resources over a network
US10091220B2 (en) Platform for protecting small and medium enterprises from cyber security threats
US9363286B2 (en) System and methods for detection of fraudulent online transactions
US8359464B2 (en) Quarantine method and system
US8301769B2 (en) Classifying an operating environment of a remote computer
US8219496B2 (en) Method of and apparatus for ascertaining the status of a data processing environment
USRE45326E1 (en) Systems and methods for securing computers
US8046836B2 (en) Method for device quarantine and quarantine network system
US20130117854A1 (en) System and Method for Bidirectional Trust Between Downloaded Applications and Mobile Devices Including a Secure Charger and Malware Scanner
CN102132287A (en) Protecting virtual guest machine from attacks by infected host
WO2006012014A2 (en) Security protection apparatus and methods for endpoint computing systems
US7660412B1 (en) Generation of debug information for debugging a network security appliance
US9021253B2 (en) Quarantine method and system
US20060248578A1 (en) Method, system, and program product for connecting a client to a network
KR101308703B1 (en) Security system for electronic commerce and method thereof
KR101088084B1 (en) Method and system for monitoring and cutting off illegal electronic-commerce transaction
Anderson Introduction to nessus
Cisco Release Notes for Cisco Aironet Client Utilities
CN113868669A (en) Vulnerability detection method and system
Land Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers
Kent et al. Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist

Legal Events

Date Code Title Description
AS Assignment

Owner name: ELECTRONIC DATA SYSTEMS CORPORATION, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TRUEBA, LUIS RUBEN ZAPIEN;REEL/FRAME:015888/0575

Effective date: 20040730

AS Assignment

Owner name: ELECTRONIC DATA SYSTEMS, LLC, DELAWARE

Free format text: CHANGE OF NAME;ASSIGNOR:ELECTRONIC DATA SYSTEMS CORPORATION;REEL/FRAME:022460/0948

Effective date: 20080829

Owner name: ELECTRONIC DATA SYSTEMS, LLC,DELAWARE

Free format text: CHANGE OF NAME;ASSIGNOR:ELECTRONIC DATA SYSTEMS CORPORATION;REEL/FRAME:022460/0948

Effective date: 20080829

AS Assignment

Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ELECTRONIC DATA SYSTEMS, LLC;REEL/FRAME:022449/0267

Effective date: 20090319

Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.,TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ELECTRONIC DATA SYSTEMS, LLC;REEL/FRAME:022449/0267

Effective date: 20090319

STCF Information on status: patent grant

Free format text: PATENTED CASE

CC Certificate of correction
FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.;REEL/FRAME:037079/0001

Effective date: 20151027

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12